Open Firefox2100 opened 8 months ago
Which request is giving you the CORS error? The GET to the IdP?
Yes, the GET to https://auth.mydomain.com/webman/sso/.well-known/openid-configuration
That means you need to whitelist the frontend's host (as in, the origin of the GET request) in your IdP.
I don't know the specific IdP you're using, but in Keycloak there's an "Allowed Origins" setting where this can be configured.
Thank you for your help. Are you referring to the Web Origin
configuration in the client settings? If so, I have it correctly configured when testing with KeyCloak. I've also used postman to request the well known endpoint directly, and the response does not seem to contain CORS header. I could not find any documentation on how it's configured, and since the well-known endpoint is shared in the same realm, I'm not sure if it was meant to be configured for a single (or multiple) origins. Could you please confirm that in your setup, your frontend also sends a GET request to the OIDC config endpoint?
Current Behavior
When logging in via a custom OIDC provider, the front end sends a GET request to the .well-known/openid-configuration endpoint, which does not have a CORS header. Front-end triggers:
And browser inspect tool shows CORS error.
Steps to Reproduce
https://dt-api.mydomain.com
, frontend athttps://dependency-track.mydomain.com
, and the OIDC service athttps://auth.mydomain.com
.Expected Behavior
The OIDC login button should have redirected me to the OIDC provider. The front end, from the environment variables, should have sufficient information on redirecting. The request on the well known endpoint is not really necessary. Is there some config I'm missing, or do I need to proxy the OIDC server under the same domain?
Thank you for your help!
Dependency-Track Version
4.10.1
Dependency-Track Distribution
Container Image
Database Server
N/A
Database Server Version
No response
Browser
Google Chrome
Checklist