dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

OIDC login CORS error

Open Firefox2100 opened this issue 1 year ago • 4 comments

Current Behavior

When logging in via a custom OIDC provider, the front end sends a GET request to the .well-known/openid-configuration endpoint, which does not have a CORS header. Front-end triggers:

An error occurred while redirecting to the OpenID Connect identity provider.

And browser inspect tool shows CORS error.

Steps to Reproduce

  1. Start the service using the following docker-compose file:
version: '3.7'

volumes:
  dependency-track:

services:
  dtrack-apiserver:
    image: dependencytrack/apiserver
    environment:
    - "ALPINE_OIDC_ENABLED=true"
    - "ALPINE_OIDC_ISSUER=https://auth.mydomain.com/webman/sso"
    - "ALPINE_OIDC_CLIENT_ID=my_client_id"
    - "ALPINE_OIDC_USERNAME_CLAIM=preferred_username"
    - "ALPINE_OIDC_TEAMS_CLAIM=groups"
    - "ALPINE_OIDC_USER_PROVISIONING=true"
    - "ALPINE_OIDC_TEAM_SYNCHRONIZATION=true"
    deploy:
      resources:
        limits:
          memory: 12288m
        reservations:
          memory: 8192m
      restart_policy:
        condition: on-failure
    ports:
      - '15081:8080'
    volumes:
      - 'dependency-track:/data'
    restart: unless-stopped

  dtrack-frontend:
    image: dependencytrack/frontend
    depends_on:
      - dtrack-apiserver
    environment:
      - "API_BASE_URL=https://dt-api.mydomain.com"
      - "OIDC_ISSUER=https://auth.mydomain.com/webman/sso"
      - "OIDC_CLIENT_ID=my_client_id"
      - "OIDC_SCOPE=openid profile email"
    ports:
      - "15080:8080"
    restart: unless-stopped
  1. Configure the OIDC provider. I tested both KeyCloak and Synology SSO service.
  2. Configure the reverse proxy. The backend is hosted at https://dt-api.mydomain.com, frontend at https://dependency-track.mydomain.com, and the OIDC service at https://auth.mydomain.com.
  3. Start the docker stack, go to the login page, click on OIDC button. Get the CORS error.

Expected Behavior

The OIDC login button should have redirected me to the OIDC provider. The front end, from the environment variables, should have sufficient information on redirecting. The request on the well known endpoint is not really necessary. Is there some config I'm missing, or do I need to proxy the OIDC server under the same domain?

Thank you for your help!

Dependency-Track Version

4.10.1

Dependency-Track Distribution

Container Image

Database Server

N/A

Database Server Version

No response

Browser

Google Chrome

Checklist

Firefox2100 avatar Feb 28 '24 12:02 Firefox2100

Which request is giving you the CORS error? The GET to the IdP?

valentijnscholten avatar Feb 28 '24 13:02 valentijnscholten

Yes, the GET to https://auth.mydomain.com/webman/sso/.well-known/openid-configuration

Firefox2100 avatar Feb 28 '24 13:02 Firefox2100

That means you need to whitelist the frontend's host (as in, the origin of the GET request) in your IdP.

I don't know the specific IdP you're using, but in Keycloak there's an "Allowed Origins" setting where this can be configured.

nscuro avatar Feb 28 '24 16:02 nscuro

Thank you for your help. Are you referring to the Web Origin configuration in the client settings? If so, I have it correctly configured when testing with KeyCloak. I've also used postman to request the well known endpoint directly, and the response does not seem to contain CORS header. I could not find any documentation on how it's configured, and since the well-known endpoint is shared in the same realm, I'm not sure if it was meant to be configured for a single (or multiple) origins. Could you please confirm that in your setup, your frontend also sends a GET request to the OIDC config endpoint?

Firefox2100 avatar Feb 28 '24 17:02 Firefox2100