DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.69k stars 578 forks source link

OIDC login CORS error #3505

Open Firefox2100 opened 8 months ago

Firefox2100 commented 8 months ago

Current Behavior

When logging in via a custom OIDC provider, the front end sends a GET request to the .well-known/openid-configuration endpoint, which does not have a CORS header. Front-end triggers:

An error occurred while redirecting to the OpenID Connect identity provider.

And browser inspect tool shows CORS error.

Steps to Reproduce

  1. Start the service using the following docker-compose file:
version: '3.7'

volumes:
  dependency-track:

services:
  dtrack-apiserver:
    image: dependencytrack/apiserver
    environment:
    - "ALPINE_OIDC_ENABLED=true"
    - "ALPINE_OIDC_ISSUER=https://auth.mydomain.com/webman/sso"
    - "ALPINE_OIDC_CLIENT_ID=my_client_id"
    - "ALPINE_OIDC_USERNAME_CLAIM=preferred_username"
    - "ALPINE_OIDC_TEAMS_CLAIM=groups"
    - "ALPINE_OIDC_USER_PROVISIONING=true"
    - "ALPINE_OIDC_TEAM_SYNCHRONIZATION=true"
    deploy:
      resources:
        limits:
          memory: 12288m
        reservations:
          memory: 8192m
      restart_policy:
        condition: on-failure
    ports:
      - '15081:8080'
    volumes:
      - 'dependency-track:/data'
    restart: unless-stopped

  dtrack-frontend:
    image: dependencytrack/frontend
    depends_on:
      - dtrack-apiserver
    environment:
      - "API_BASE_URL=https://dt-api.mydomain.com"
      - "OIDC_ISSUER=https://auth.mydomain.com/webman/sso"
      - "OIDC_CLIENT_ID=my_client_id"
      - "OIDC_SCOPE=openid profile email"
    ports:
      - "15080:8080"
    restart: unless-stopped
  1. Configure the OIDC provider. I tested both KeyCloak and Synology SSO service.
  2. Configure the reverse proxy. The backend is hosted at https://dt-api.mydomain.com, frontend at https://dependency-track.mydomain.com, and the OIDC service at https://auth.mydomain.com.
  3. Start the docker stack, go to the login page, click on OIDC button. Get the CORS error.

Expected Behavior

The OIDC login button should have redirected me to the OIDC provider. The front end, from the environment variables, should have sufficient information on redirecting. The request on the well known endpoint is not really necessary. Is there some config I'm missing, or do I need to proxy the OIDC server under the same domain?

Thank you for your help!

Dependency-Track Version

4.10.1

Dependency-Track Distribution

Container Image

Database Server

N/A

Database Server Version

No response

Browser

Google Chrome

Checklist

valentijnscholten commented 8 months ago

Which request is giving you the CORS error? The GET to the IdP?

Firefox2100 commented 8 months ago

Yes, the GET to https://auth.mydomain.com/webman/sso/.well-known/openid-configuration

nscuro commented 8 months ago

That means you need to whitelist the frontend's host (as in, the origin of the GET request) in your IdP.

I don't know the specific IdP you're using, but in Keycloak there's an "Allowed Origins" setting where this can be configured.

Firefox2100 commented 8 months ago

Thank you for your help. Are you referring to the Web Origin configuration in the client settings? If so, I have it correctly configured when testing with KeyCloak. I've also used postman to request the well known endpoint directly, and the response does not seem to contain CORS header. I could not find any documentation on how it's configured, and since the well-known endpoint is shared in the same realm, I'm not sure if it was meant to be configured for a single (or multiple) origins. Could you please confirm that in your setup, your frontend also sends a GET request to the OIDC config endpoint?