BookLore icon indicating copy to clipboard operation
BookLore copied to clipboard
verified publisher icon adityachandelgit

OIDC request blocked by CORS

Open robisaacnz opened this issue 6 months ago • 6 comments

When setting up OIDC in BookLore for use with the Synology OIDC server, the connection attempt to the provider fails with a CORS error, preventing the issuing of a token.

I'm not 100% sure what's happening here, but I think BookLore is trying to acquire an auth token inline using XmlHttpRequest rather than redirecting to the auth provider. This request is getting blocked by the CORS policy on the provider, despite BookLore and the SSO provider using the same protocol (HTTPS), domain (muppetlabs.org), and port (443). This might be due to a reverse proxy on BookLore.

oauth2-callback:1 Access to XMLHttpRequest at 'https://authentication.muppetlabs.org/webman/sso/SSOAccessToken.cgi' from origin 'https://books.muppetlabs.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
main-S24KZ6S7.js:5918 Error getting token Ecerror: ProgressEvent {isTrusted: true, lengthComputable: false, loaded: 0, total: 0, type: 'error', …}headers: t {headers: Map(0), normalizedNames: Map(0), lazyInit: undefined, lazyUpdate: null}message: "Http failure response for https://authentication.muppetlabs.org/webman/sso/SSOAccessToken.cgi: 0 Unknown Error"name: "HttpErrorResponse"ok: falsestatus: 0statusText: "Unknown Error"type: undefinedurl: "https://authentication.muppetlabs.org/webman/sso/SSOAccessToken.cgi"[[Prototype]]: ldconstructor: class extends[[Prototype]]: Object
(anonymous) @ main-S24KZ6S7.js:5918
main-S24KZ6S7.js:7874 OIDC initialization failed: Unable to complete OpenID Connect discovery or login. This may be due to an incorrect issuer URL, client ID, or network issue. Falling back to local login. Details: Ec
(anonymous) @ main-S24KZ6S7.js:7874
authentication.muppetlabs.org/webman/sso/SSOAccessToken.cgi:1

The SSO server in question already provides auth to dozens of other applications, but none that use an inline request rather than a redirect. The Synology SSO provider is closed source and non-trivial to modify to add (for example) an allow origin header.

A more general solution might be to implement a redirect workflow for OIDC rather than the current inline request, but I'm not sure about that.

robisaacnz avatar Jun 15 '25 22:06 robisaacnz

I'm having this same problem with Authentik.

feliscat avatar Jun 28 '25 16:06 feliscat

also having the same problem with Authentik

HennieLP avatar Jun 28 '25 17:06 HennieLP

Thanks for the detailed info! I’ll see if I can make the OIDC flow follow a more standard redirect-based approach. To be honest, I learned about OIDC only after multiple requests and implemented it rather quickly in 2-3 days, so it’s definitely not perfect yet.

acx10 avatar Jun 29 '25 04:06 acx10

I’ll be working on improving the OIDC implementation soon. If anyone is interested in testing it once complete, please reach out to me on Discord: https://discord.gg/Ee5hd458Uz

acx10 avatar Jun 29 '25 04:06 acx10

I’ve pushed a potential fix here: https://github.com/adityachandelgit/BookLore/pkgs/container/booklore-app/449429172?tag=f10b9a8

Please give it a try and let me know if it resolves the issue or if you run into anything else.

acx10 avatar Jun 29 '25 08:06 acx10

Deployed this revision but unfortunately the same error occurs.

login:1 Access to XMLHttpRequest at 'https://authentication.muppetlabs.org/webman/sso/SSOOauth.cgi/.well-known/openid-configuration' from origin 'https://books.muppetlabs.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
main-MFU43ARA.js:1356 error loading discovery document Ncerror: ProgressEvent {isTrusted: true, lengthComputable: false, loaded: 0, total: 0, type: 'error', …}headers: t {headers: Map(0), normalizedNames: Map(0), lazyInit: undefined, lazyUpdate: null}message: "Http failure response for https://authentication.muppetlabs.org/webman/sso/SSOOauth.cgi/.well-known/openid-configuration: 0 Unknown Error"name: "HttpErrorResponse"ok: falsestatus: 0statusText: "Unknown Error"type: undefinedurl: "https://authentication.muppetlabs.org/webman/sso/SSOOauth.cgi/.well-known/openid-configuration"[[Prototype]]: gd
(anonymous) @ main-MFU43ARA.js:1356
main-MFU43ARA.js:7986 OIDC initialization failed: Unable to complete OpenID Connect discovery or login. This may be due to an incorrect issuer URL, client ID, or network issue. Falling back to local login. Details: Nc
(anonymous) @ main-MFU43ARA.js:7986
authentication.muppetlabs.org/webman/sso/SSOOauth.cgi/.well-known/openid-configuration:1

I'll swing by your Discord soon.

robisaacnz avatar Jun 29 '25 09:06 robisaacnz