CORS已阻止从来源“ xxxx”以“ xxx / .well-known / openid-configuration”访问XMLHttpRequest

时间:2019-12-19 03:05:16

标签: angular cors openid-connect okta okta-api

我正在使用okta oAuth对angular 8应用程序进行身份验证和授权。由于获取'https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/.well-known/openid-configuration导致了问题

trusted origins

我在okta受信任来源中添加了重定向URL。由于公司政策,我无法在CORS中添加URL。

我该如何解决CORS问题

Access to XMLHttpRequest at 'https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/.well-known/openid-configuration' from origin 'https://localhost:44307' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

但是,在网络中我可以看到

enter image description here

3 个答案:

答案 0 :(得分:0)

问题需要更多细节。尤其是预检请求/响应头,请求/响应头。不要使用localhost(因为提到了浏览器问题)和http(因为使用https设置产品需要不同的CORS配置)。

原始卷曲预检:

curl -H "Origin: https://acme.com" \
 -H "Access-Control-Request-Method: GET" \
 -H "Access-Control-Request-Headers: X-Requested-With, :method" \
 -X OPTIONS -k https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/.well-known/openid-configuration \
 --silent --verbose 2>&1 | grep Access-Control

=>让您了解请求的内容和返回的内容。

类型CORS!=类型Redirect +有效来源例如是http://localhost:8080,而不是http://localhost:8080/->不清楚如何配置CORS类型。

答案 1 :(得分:0)

首选方法是将您的网络域添加到Okta的API /受信任来源下-如step 7 of my write up

settings needed for single page app authentication flow

需要CORS才能通过Authorization Code Flow (PKCE)为SPA实现开放式ID连接到最新的安全标准。

OIDC客户端中还有一个替代选项,它是避免提供授权URL并明确提供重定向端点和令牌签名密钥。例如,在my Azure code sample中,我通过显式提供令牌签名密钥来阻止JWKS查找。

但是,您将受到隐式流的限制,不再建议这样做,因此,这将削弱应用程序的安全性-这不符合公司的利益-并为代码增加了相当大的复杂性。

也许下一步是我对您的涉众做出回应-并说服他们做一些明智的事情,将其更新为推荐的行业标准安全设置

答案 2 :(得分:0)

getClientSettings(configuration: IOpenIdOptions): UserManagerSettings {
    return {
      authority: configuration.authority + '/',
      client_id: configuration.clientId,
      redirect_uri: configuration.redirectUri,
      post_logout_redirect_uri: configuration.redirectUri,
      response_type: configuration.responseType, // "id_token token",
      scope: "openid profile email " + configuration.apiResourceId,
      filterProtocolClaims: true,
      loadUserInfo: false,
      automaticSilentRenew: true,
      monitorSession: true,
      silent_redirect_uri: configuration.silentRedirectUri,
      accessTokenExpiringNotificationTime: 20, //default 60
      checkSessionInterval: 5000, //default 2000
      silentRequestTimeout: 20000, //default: 10000 
      // When CORS is disabled, token signing keys cannot be retrieved
      //  Manual the metadata and singinKeys for okta auth
      metadata: {
        // Magic happen here. Confugure to local host 
        jwks_uri: configuration.jwksUri,
        authorization_endpoint: `${configuration.authority}/v1/authorize`,
        issuer: configuration.authority
      },
    };
  }

Appsetting.json 

 "openId": {
    "authority": "https://dev-166545.okta.com/oauth2/xxxxxxxxxxxxxx",
    "clientId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "apiResourceId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "redirectUri": "https://localhost:44307/auth-callback",
    "silentRedirectUri": "https://localhost:44307/assets/silent-renew.html",
    "responseType": "id_token token",
    "jwksUri" : "https://localhost:44307/assets/jwks.json"
  }
相关问题
最新问题