swagger-ui icon indicating copy to clipboard operation
swagger-ui copied to clipboard

Published 20 hours ago verified publisher icon swagger-api

CORS Issue with oauth2 authentication (ClientCredentials)

Open kishm opened this issue 6 years ago • 15 comments

Hi,

I am new to SpringBoot, Springfox and Swagger2 as well. I am trying to generate Swagger2 API documentation with the help of Springfox.

I have gone through the documentation 'http://springfox.github.io/springfox/docs/current/' and able to generate API documentation. But i am having issue to integrate with oauth2 authentication. I am trying to Implement oauth2 token to work on tryout option of each controller. With oauth/token (Client Credentials) implementation, able successfully connect my app login URL, but upon authentication the redirect URL is failing due to the following error.

The following exception is shown in browser" Access to fetch at 'https://myauthserver/authserver/oauth/token' from origin 'http://myapp' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

The authentication server resides in a different domain. My app is running in different domain on same network. Any Idea what causing the problem and how to add to allowed filter list in CORS to allow redirect URL successfully to Swagger UI.

Thank you

kishm avatar Jan 03 '19 08:01 kishm

Hi @kishm!

See these docs for more information on CORS: https://github.com/swagger-api/swagger-ui/blob/master/docs/usage/cors.md

shockey avatar Jan 15 '19 04:01 shockey

Same issue here with clientCredentials login. In the chrome console:

Access to fetch at 'https://sso.company.com/auth/realms/XYZ_Public/protocol/openid-connect/token' from origin 'http://localhost:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Cross-Origin Read Blocking (CORB) blocked cross-origin response https://sso-sso.company.com/auth/realms/XYZ_Public/protocol/openid-connect/token with MIME type application/json. See https://www.chromestatus.com/feature/5629709824032768 for more details.

kremers avatar Dec 17 '19 14:12 kremers

Same issue with the clientCredentials login. Is there something that we are missing?

Whenever we click on authorize and fill he client id and client secret we get the following: "Access to fetch at 'http://localhost:5000/connect/token' from origin 'http://localhost:5001' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled."

However when I try to authorize using the following url "https://demo.identityserver.io/connect/token" from the swagger ui it works.

ZouZou avatar Jan 18 '20 10:01 ZouZou

I'm having the same issue - I thought it would be resolved after my app was deployed to my dev server so the origin was an actual URL instead of localhost but no such luck

mckhine avatar Mar 06 '20 14:03 mckhine

I have found out a couple of things.

  1. You get the same error even if your credentials are false
  2. I re-deployed my IdentityServer to another machine and it worked so it had something to do with the first machine

ZouZou avatar Mar 29 '20 14:03 ZouZou

Hi @kishm!

See these docs for more information on CORS: https://github.com/swagger-api/swagger-ui/blob/master/docs/usage/cors.md

Notice that the auth server is the one returning the cors issue. I some cases the auth server is not the same server where the swagger ui is hosted. In this case would be awesome if swagger supports a configuration param to actually send the request in no-cors mode, which will make it work in most of the cases.. for now, swagger doesn't supports this, so I think there is not fix for that.

rahpuser avatar Jun 03 '20 18:06 rahpuser

Hi I got around this by using a cors proxy. I used this one: https://cors-anywhere.herokuapp.com/

Just put it in front of our authaddress and it should work. I used clientcridentials on Microsoft azure ad with oauth2 and had same problems.

As Said a no-cors mode would be nice.

yllevanten avatar Jun 07 '20 20:06 yllevanten

Hi I got around this by using a cors proxy. I used this one: https://cors-anywhere.herokuapp.com/

Just put it in front of our authaddress and it should work. I used clientcridentials on Microsoft azure ad with oauth2 and had same problems.

As Said a no-cors mode would be nice.

Very nice, Will test it, thanks

rahpuser avatar Jun 08 '20 18:06 rahpuser

Hi I got around this by using a cors proxy. I used this one: https://cors-anywhere.herokuapp.com/

Just put it in front of our authaddress and it should work. I used clientcridentials on Microsoft azure ad with oauth2 and had same problems.

As Said a no-cors mode would be nice.

Can you describe a little more in detail, give an example? Please.

8357238 avatar Jun 25 '20 08:06 8357238

Hi Just put the cors proxy adress before the adress you getting error from.

In my case: https://cors-anywhere.herokuapp.com/Https://login.microsoftcom/tenant.onmicrosoft.com/well-known/v2.0/.default

I used it to get tokens for the client credentials in a dev enviroment

yllevanten avatar Jun 30 '20 20:06 yllevanten

I'm also having the same problem right now. Our authentication server does not support the OPTIONS request and I'm in no control to fix it. I also agree with a comment on a similar issue https://github.com/swagger-api/swagger-ui/issues/4930#issuecomment-515920323. In short, it say that the request are not intended to be used from the frontend. Therefore some authentication servers does not implement support for CORS. In this case the Swagger UI is "playing" the backend. So I think there should at least be an option to disable CORS for the oauth2 requests when it comes to clientCredentials.

Having a proxy would fix the issue, but as we deploy our apps in different environment it becomes a huge hazzel to also have to deploy an configure an proxy for each instance... So in the end, I cannot say it is a good solution to the problem for our case.

@shockey, I don't think this is just "support" as it is labeled right now. Any thoughts?

sickan90 avatar Sep 17 '20 09:09 sickan90

Same issue here with CORS trying to authenticate with Identity Server 4. Be good to get a solution here. From a security perspective, we can't go through a proxy but it's good to test that this is the issue.

EDIT: As a workaround, I got this working by putting the web app and identity server on the same custom domain.

I.e App-1.customDomain.com and identityserver.customDomain.com

p0onage avatar Jan 07 '22 16:01 p0onage

Same problem here. And it's impossible to have the Swagger UI on the same domain as the authorization server...

hugoqribeiro avatar Mar 02 '22 17:03 hugoqribeiro

@yllevanten I don't think it must be too high IQ level to notice why your suggestion is a bad idea

ujhazib avatar Oct 16 '23 08:10 ujhazib

when i use keycloak i have similar cors problem but when I set client option:

Web origins : *

it solve my problem.

sc7258 avatar Jan 18 '24 07:01 sc7258