1

I am using the okta oAuth to do the authentication and authorization with angular 8 application. Since getting the 'https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/.well-known/openid-configuration is causing the issue

trusted origins

I have added the redirect URL in the okta trusted origin. I can't add the URLs in the CORS because of company policy.

How can I solve the issue CORS 

Access to XMLHttpRequest at 'https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/.well-known/openid-configuration' from origin 'https://localhost:44307' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

However, in the network I can see

enter image description here

San Jaisy
  • 15,327
  • 34
  • 171
  • 290
  • I know nothing about Okta, but it seems quite possible that oauth endpoint is intentionally not CORS-enabled, regardless of what CORS settings are applied to other endpoints there — because in general, oauth endpoints aren’t intended to receive scripted ajax/XHR/fetch requests; instead, it’s intended that your application has a button or link that users manually push/follow to navigate to the oauth endpoint to authenticate there themselves, and then the oauth endpoint navigates/redirects them back to your application. – sideshowbarker Dec 19 '19 at 04:46
  • @sideshowbarker I understand your point, I agree with you. I am using angular 8 application with "oidc-client": "1.8.2". As per company policy we are not allowed to enable cors, only thing I can add is the redirect url and as per my understanding if redirect url is setup then the cors issue shouldn't appear. – San Jaisy Dec 19 '19 at 04:55
  • Some browsers may not support/allow CORS for localhost (https://stackoverflow.com/questions/10883211/deadly-cors-when-http-localhost-is-the-origin) – Jan Garaj Dec 19 '19 at 16:09
  • @JanGaraj - it is not about the localhost. Even the dev server and production server same issue. This is something related to OKTA. If I add the cors policies then it works fine. Due to company policy I am not allowed to add in the cors. – San Jaisy Dec 19 '19 at 22:13

3 Answers3

1

The preferred option is to add your web domain to Okta under API / trusted origins - as in step 7 of my write up

settings needed for single page app authentication flow

CORS is needed in order to implement open id connect for SPAs to latest security standards via Authorization Code Flow (PKCE).

There is an alternative option in OIDC client, which is to avoid supplying the authority url and supply the redirect endpoint and token signing keys explicitly. An example of this is in my Azure code sample where I prevent a JWKS lookup by supplying the token signing keys explicitly.

However, you will be restricted to the implicit flow, which is no longer recommended, so you are weakening the security of your app - which is not in your company's interests - and also adding considerable complexity to your code.

Maybe as a next step forward my response to your stakeholders - and try to convince them to do the sensible thing of updating to the recommended industry standard security settings

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • It's been added to the trusted origin. If I click on the CORS then the problem won't appear. Since due to the company policies I am not allowed to enable CORS. Please refer to the screen shots – San Jaisy Dec 21 '19 at 05:14
  • On that answer, the CORS is enabled. I don't have permission to enable the CORS – San Jaisy Dec 21 '19 at 05:20
  • Ah - ok - I fully understand your scenario now - you have 2 options and I've updated my original answer - see above. – Gary Archer Dec 21 '19 at 08:28
  • I have using the JWKS in another question, but still the same issue. Can you please help me with this https://stackoverflow.com/questions/59418049/oidc-client-to-configure-discovery-documentation-from-the-local-host-or-other-ur?noredirect=1#comment105045239_59418049 – San Jaisy Dec 22 '19 at 01:04
  • See other post - I added some tech details there – Gary Archer Dec 22 '19 at 15:53
0

Question needs more details. Especially preflight request/response headers, request/response headers. Don't use localhost (because mentioned browser issue) and http (because prod setup with https requires different CORS config).

Primitive curl preflight test:

curl -H "Origin: https://acme.com" \
 -H "Access-Control-Request-Method: GET" \
 -H "Access-Control-Request-Headers: X-Requested-With, :method" \
 -X OPTIONS -k https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/.well-known/openid-configuration \
 --silent --verbose 2>&1 | grep Access-Control

=> give you idea what is requested and what is returned.

Type CORS != type Redirect + valid origin is for example http://localhost:8080 and not http://localhost:8080/ -> it is not clear how did you configure CORS types.

Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
  • The issue I am facing when using the OIDC client https://github.com/IdentityModel/oidc-client-js/wiki which makes the call to the issuer and try to get the discovery document – San Jaisy Dec 19 '19 at 23:10
  • @San Jaisy Again: Question needs more details. Especially preflight request/response headers, request/response headers. – Jan Garaj Dec 20 '19 at 06:34
0
getClientSettings(configuration: IOpenIdOptions): UserManagerSettings {
    return {
      authority: configuration.authority + '/',
      client_id: configuration.clientId,
      redirect_uri: configuration.redirectUri,
      post_logout_redirect_uri: configuration.redirectUri,
      response_type: configuration.responseType, // "id_token token",
      scope: "openid profile email " + configuration.apiResourceId,
      filterProtocolClaims: true,
      loadUserInfo: false,
      automaticSilentRenew: true,
      monitorSession: true,
      silent_redirect_uri: configuration.silentRedirectUri,
      accessTokenExpiringNotificationTime: 20, //default 60
      checkSessionInterval: 5000, //default 2000
      silentRequestTimeout: 20000, //default: 10000 
      // When CORS is disabled, token signing keys cannot be retrieved
      //  Manual the metadata and singinKeys for okta auth
      metadata: {
        // Magic happen here. Confugure to local host 
        jwks_uri: configuration.jwksUri,
        authorization_endpoint: `${configuration.authority}/v1/authorize`,
        issuer: configuration.authority
      },
    };
  }

Appsetting.json

 "openId": {
    "authority": "https://dev-166545.okta.com/oauth2/xxxxxxxxxxxxxx",
    "clientId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "apiResourceId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "redirectUri": "https://localhost:44307/auth-callback",
    "silentRedirectUri": "https://localhost:44307/assets/silent-renew.html",
    "responseType": "id_token token",
    "jwksUri" : "https://localhost:44307/assets/jwks.json"
  }
San Jaisy
  • 15,327
  • 34
  • 171
  • 290