2

I am having trouble making CORS work at oAuth2's UserInfo endpoint. I want to retrieve claims (UserInfo) by calling the oAuth2 UserInfo resource.

As I understood from stackoverflow post "WSO2 API Manager CORS" ... enabling CORS for oAuth2 resources should be done in the Synapse configuration by adding the CORSRequest handler as described in above stackoverflow link. I added this CORSRequest handler for Token en Revoke resources ( _TokenAPI_.xml en _RevokeAPI_xml) as described in the above link. And, it worked! After those additions I discovered also CORS problem in my app, so I did the same procedure by adding the CORSRequestHandler to _UserInfoAPI_.xml (inlcuding a restart on the server wso2server.bat)), but still I am getting the same CORS errors:

XMLHttpRequest cannot load https://localhost:9443/oauth2/userinfo?schema=openid. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access.

I don't understand that CORS is working on my token resource and not working on my userinfo resource ?

Btw, I am not using WSO2 Identity Server, but only using API Manager with oAuth2 capabilities. I checked and I can see that there is no Allows-* headers being sent back to the client (during an OPTIONS preflight) call by my browser(javascript).

Why is the CORSRequestHandler not working if I add this handler in UserInfAPI.xml?

Community
  • 1
  • 1
user2120188
  • 427
  • 1
  • 4
  • 16

1 Answers1

2

Are you sure you used the correct URL which is https://localhost:8243/userinfo for OPTION call?

I just tried, and this is what I got. 

bhathiya@bhathiya-x1:/$ curl -v -k -X OPTIONS https://localhost:8243/userinfo
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8243 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 697 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*    server certificate verification SKIPPED
*    server certificate status verification SKIPPED
*    common name: localhost (matched)
*    server certificate expiration date OK
*    server certificate activation date OK
*    certificate public key: RSA
*    certificate version: #3
*    subject: C=US,ST=CA,L=Mountain View,O=WSO2,CN=localhost
*    start date: Fri, 19 Feb 2010 07:02:26 GMT
*    expire date: Tue, 13 Feb 2035 07:02:26 GMT
*    issuer: C=US,ST=CA,L=Mountain View,O=WSO2,CN=localhost
*    compression: NULL
* ALPN, server did not agree to a protocol
> OPTIONS /userinfo HTTP/1.1
> Host: localhost:8243
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Accept: */*
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET
< Host: localhost:8243
< Access-Control-Allow-Headers: authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction
< Date: Sun, 23 Oct 2016 14:43:27 GMT
< Transfer-Encoding: chunked
<

If you're using the same URL, please post your complete curl request and response.

Bee
  • 12,251
  • 11
  • 46
  • 73
  • HI Bhatiya, thank you for pointing me to the right URL (userinfo endpoint). Indeed, now it works and I am not getting any CORS related errors on this endpoint from within my webbrowser (javascript). Still, I find it strange, because I was using the endpoint you suggested but I did get an CORS error. So, I am wondering if I was experiencing this error because of browser caching....(?) I can't still explain why it is working now. But at least, I can move forward and have learned much more about WSO2 API Manager ;-). – user2120188 Oct 24 '16 at 20:15
  • Glad to hear it's working now. I also can't explain the previous behavior. I can't say it's not browser cache either, because sometimes browser cache behaves in mysterious ways.. :) – Bee Oct 25 '16 at 04:32
  • do you happen to know also the URL in API Manager to force a logout from the keymanager (API Manager's own Identity Server)? I could not find this in the documentation of API Manager. – user2120188 Oct 25 '16 at 11:39
  • What do you mean by logout? APIM does not keep a session with KM. – Bee Oct 25 '16 at 11:45
  • Ok, I see. That explains the reason why I can't find the URL? I thought since the user can authenticate at API Manager (login screen username/password), I automatically thought that logout would be an available feature. – user2120188 Oct 25 '16 at 11:48
  • You can logout from store and publisher. Is that what you are looking for? – Bee Oct 25 '16 at 11:50
  • I have a Single Page App for which I let the user undergo an implicit oAuth2 authorization flow. He would authenticate (login) at API Manager's Identity Server and than would be redirected back to the SPA with the proper access token (and claims)... So I would want to give the user the option to logout too. – user2120188 Oct 25 '16 at 11:53
  • Try this. http://stackoverflow.com/questions/32337588/wso2-identity-server-oauth-2-0-sign-off-example-for-java – Bee Oct 25 '16 at 15:33