0

I have problem with CORS error. I do request for Google oAuth2 and i get a CORS ERROR: I want to get google authentication and generate a JWT token. When I do it without using the client everything is fine. When I send angular requests this is a problem with CORS. I allow all types of CORS. Why am I getting this error?

Access to XMLHttpRequest at 'https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=1020159669873-d9r35ssmnejud852bam87d8gqtcj5qf1.apps.googleusercontent.com&scope=openid%20profile%20email&state=8nizHP1X2z9sA8m0vqM4Lzd6VT24R15eSw5flteTywM%3D&redirect_uri=http://localhost:8080/oauth2/callback/google' (redirected from 'http://localhost:8080/oauth2/authorization/google')
from origin 'null' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Cross-Origin Read Blocking (CORB) blocked cross-origin response https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=1020159669873-d9r35ssmnejud852bam87d8gqtcj5qf1.apps.googleusercontent.com&scope=openid%20profile%20email&state=8nizHP1X2z9sA8m0vqM4Lzd6VT24R15eSw5flteTywM%3D&redirect_uri=http://localhost:8080/oauth2/callback/google with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.

My Angular request:

 googleLogin(): Observable<LoginResponse> {
    return this.http.get<LoginResponse>
    (environment.baseUrl + '/oauth2/authorization/google')
      .pipe(tap(response => {
        localStorage.setItem('access_token', response.accessToken);
      }));
  }

//...

public onGoogleLogin(): void {
   this.authService.googleLogin().subscribe();
 }

//...

CORS CONFIG: 

 @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry
                .addMapping("/**")
                .allowedOrigins("*")
                .allowedMethods("HEAD", "OPTIONS", "GET", "POST", "PUT", "PATCH", "DELETE")
                .maxAge(MAX_AGE_SECS);
    }

Security configuration: 

   @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .cors()
                    .and()
                .csrf()
                    .disable()
                .exceptionHandling()
                    .authenticationEntryPoint(unauthorizedHandler)
                    .and()
                .sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                    .and()
                .authorizeRequests()
                    .antMatchers("/",
                "/favicon.ico",
                "/**/*.png",
                "/**/*.gif",
                "/**/*.svg",
                "/**/*.jpg",
                "/**/*.html",
                "/**/*.css",
                "/**/*.js")
                        .permitAll()
                .antMatchers("/api/v1/oauth0/**")
                        .permitAll()
                .antMatchers("/api/v1/oauth2/**")
                    .permitAll()
                .anyRequest()
                    .authenticated()
                    .and()
                // włączenie obslugi oauth2
                .oauth2Login()
                .successHandler(this.successHandler)
                .redirectionEndpoint()
                    .baseUri("/oauth2/callback/*")
                    .and()
                .userInfoEndpoint()
                    .oidcUserService(customOidcUserService);
        http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
    }

Success Handler: 

@Autowired
    private UserRepository userRepository;

    @Autowired
    private JwtTokenProvider tokenProvider;

    private final static String URL = "http://localhost:8080/api/v1/oauth2/authenticate";

    @Override
    public void onAuthenticationSuccess(
            HttpServletRequest request,
            HttpServletResponse response,
            Authentication authentication) throws IOException, ServletException {

        if (response.isCommitted()) {
            return; }

        DefaultOidcUser oidcUser = (DefaultOidcUser) authentication.getPrincipal();
        System.out.println(oidcUser);
        Map attributes = oidcUser.getAttributes();
        String email = attributes.get("email").toString();
        User user = userRepository.findByEmail(email).orElseThrow(
                () -> new ResourceNotFoundException("User", "email", email)
        );
        String token = tokenProvider.generateToken(user);
        String redirectionUrl = UriComponentsBuilder.fromUriString(URL).queryParam("token", token)
                .build().toUriString();
        getRedirectStrategy().sendRedirect(request, response, redirectionUrl);
    }
}

Controller: 

@RestController
@RequestMapping("/api/v1/oauth2")
public class OAuth2Controller {

    @GetMapping("/authenticate")
    public ResponseEntity<?> authenticateUser(@RequestParam String token) {
        return ResponseEntity.ok(new JwtAuthenticationResponse(token));
    }
}
JuniorWithEverything
  • 413
  • 4
  • 13
  • 2
    OAuth 2 requires actual redirects to work: https://tools.ietf.org/html/rfc6749#section-1.2 BTW error is not coming from your server, but rather Google – Ivar Oct 09 '19 at 15:59

1 Answers1

2

You cannot get the token in this example as you need to make actual redirects. There are couple of ways you could circumvent this requirement which is detailed in RFC https://www.rfc-editor.org/rfc/rfc6749#section-1.2

  1. Initiate authorization flow in a popup and pass back the token received by server via postMessage() API provided in the browser, from the popup window back to the webapp.
  2. Save the state, whatever it is, redirect to server which will initiate authorization flow and after token is exchanged for a grant, redirect back to the webapp with a token as a query string parameter. Then use it and restore the state.
Community
  • 1
  • 1
Ivar
  • 4,350
  • 2
  • 27
  • 29