11.7
This is probable a bit no-Progress relatet, but hopefully I can get some info.
It is HTML....
Doing some authentication I am receiving an Return to Our redirect_url:
I am trying to do something like this:
JavaScript:
myParam = "&response_type=code&client_id=oidc_ovf&scope=openid profile&state=" + getURLparam('state') + "&redirect_uri=" + encodeURI("minside.no/test.html");
getToken("oidc-ver1xxxxxxxn-oidc-provider/token",myParam);
:
:
function getToken(inUrl,inParam){
$.ajax({
type:"POST",
url:inUrl,
data: $(this).serialize() + inParam,
success: function(data) { window.alert("Success:" + data);}
});
};
Ups, I can see that I forgot to ask my question, sorry....
I get this error, that seems to be related to CORS, but I am not sure how to get this right.
When I do the POST, it seems like the method is changed to OPTIONS, and that is forbidden by the receiver.
____________
jquery.min.js:4 OPTIONS oidc-ver1.difi.no/.../token 403 (Forbidden)
__________________
Failed to load oidc-ver1.difi.no/.../token: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://minside.ovf.no' is therefore not allowed access. The response had HTTP status code 403.
________________
How can I solve this?
I know our domain has a bigIP system that translate official ip:port to internal IP:port. Could that be a problem related to this?
Goto oeablSecurity.properties (either in the conf director or in WEB-INF of your webapp) and locate `OECORSFilter.allowDomains=`. Set the correct domain there. This would probably be "minside.ovf.no".
It is pure HTML/javascript, so eoablSecurity is not in play, and minside.no is our side, and oidc-ver1.difi.no is the security site who seems to reject us.
Tutorial on using CORS (& jQuery):
Some web page on their site (oidc-ver1.difi.no) make a request on your site and the response you send back doesn't have the necessary CORS headers or it doesn't white list their domain (difi.no). If you are in control of the response there you just need to send the appropriate headers back in that request so the client does not complain about CORS.
After strugeling some hours now, I am still not Close to a solution. Is there anyone that could help geting me to understand this (or fix it) I will gladly pay the time it takes.
my latest attempt:
xhr.open(method, url, true);
xhr.setRequestHeader('Authorization','Bearer ' + getURLparam('code') );
// xhr.setRequestHeader('Access-Control-Allow-Headers','Content-Type, Accept, X-Requested-With, Session');
// xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.setRequestHeader('Access-Control-Allow-Origin','*');
xhr.setRequestHeader('Access-Control-Allow-Methods','GET, POST, PATCH, PUT, DELETE, OPTIONS');
xhr.setRequestHeader('Access-Control-Allow-Headers','Origin, Content-Type, X-Auth-Token');
Still no GO.
//Geir Otto
Anyone that could point me to a site where I could find some people for hire to fix this problem for me??
You don't need to set the headers on the XMLHttpRequest when calling the external api service, you need to set the headers on your server that returns that web page where you make the XMLHttpRequest so your server tells the client browser it is allowed to make requests to other servers than the origin (your server).
header('Access-Control-Allow-Origin: oidc-ver1.difi.no');
header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token');
Marian,
The client is loging in to minside.ovf.no/index.html. This webserver is reached behind a proxy that probably does a porttranslation (if that has anything to do with this). The index.html sends a GET to oidc-ver1.difi.no/.../authorize with a respond_url that points to minside.ovf.no/test.html. In test.html, I find code and status and then I need to do a new call to oidc-ver1.difi.no/.../Token that contains a httpheader: "Bearer <auth...code>" that is the code I get, this is sent using POST. Is it so that difi.no has to do something on their webserver to allow me communicating? As I understand, the errormessage I get is related to the preposting that ajax does regard to CORS. I have a webspeed avail, would it be easier to use that for making the call?
I see, so they aren't calling back using xmlhttprequest... it's only you that make calls to them that way, the first one using GET works and you get them to somehow callback to your test.html page. The problem seems to occur when you make a xmlhttprequest from that test.html page back to their server right? How do you receive the authorisation token and how do you send that back, any reason for you to use POST instead of GET?