0

I have installed Authenik 2022.10.1 behind an Nginx Proxy Manager. My Authenik-instance is accessible via the domain auth.<mydomain.tld>

On the server where Authenik is running, I setup an LDAP-service, from where Authenik is getting it's user-credentials.

I also setup Portainer on another server, which is also accessible from the internet, to use Authenik in the background, so I can login using oAuth. This is working so far...

Now, I'm trying to implement an oAuth login to one of my websites, which is built on a MERN-Stack.

So far, I can retrieve the code, when I click the link, which generates the code as a GET-Parameter in the URL.

But, when I want to use the code, including the other data such as client_id or client_secret and I create a POST-request using axios.post(), it returns an Error 400 in the Console saying:

Access to XMLHttpRequest at 'https://auth.<mydomain.tld>/application/o/token/' from origin 'https://<mydomain.tld>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

further saying:

POST https://auth.<mydomain.tld>/application/o/token/ net::ERR_FAILED 400

Browser response headers as below:

cache-control: no-store
content-encoding: gzip
content-length: 140
content-type: application/json
date: Wed, 16 Nov 2022 18:16:41 GMT
pragma: no-cache
referrer-policy: same-origin
server: openresty
vary: Accept-Encoding
vary: Cookie
x-authentik-id: c0d8606a80fa4d88a32e7b93dd202803
x-content-type-options: nosniff
x-frame-options: DENY
x-powered-by: authentik

The error-message is similar to the one described in this post. Unfortunately it couldn't solve my problem.

I think, the problem lies in my code, as described in this SO-Post, I just can't find a working solution, since in the linked question, the code is written in Java, while mine is in JS.

The following is my code, which I implemented: https://paste.gg/p/anonymous/d3324f2119474e208e5134d953e9b966

I have tried to add the CORS-headers, to the POST-Request, but it didn't work. I appreciate every hint I can get, to solve this problem. Maybe I'm just doing it completely wrong, who knows.

For those who are interested, I've been working alongside with the Google-Developer Documentation about oAuth: https://developers.google.com/identity/openid-connect/openid-connect#exchangecode

LinuxSquare
  • 27
  • 1
  • 8
  • Some more information: I've got an answer of an administrator of Authenik: "authentik sets the CORS headers itself, but for that to function the allowed redirects need to be set. Authentik will then accept the domains in those URLs" So that means, as long as my domain is configured inside the Redirect URI/Origins inside the provider configuration, the CORS-headers should be set correctly. Unfortunately, this didn't work from the beginning, when the request-uri is `https://app.mydomain.tld/adminpanel/login/` – LinuxSquare Dec 06 '22 at 10:08

0 Answers0