403 Forbidden when logging in from Webkit browsers (Chrome, Opera)

JetBrains / teamcity-azure-active-directory

TeamCity plugin which supports authentication via Microsoft Azure Active Directory

Apache License 2.0

26 stars 19 forks source link

403 Forbidden when logging in from Webkit browsers (Chrome, Opera) #27

Closed ElvenSpellmaker closed 6 years ago

ElvenSpellmaker commented 7 years ago

We recently upgraded to TeamCity 2017.1.1, and when users try to use the AD to login they get a message stating: 403 Forbidden: Respnding with 403 status code due to failed CSRF check: request's "Origin" header value "https://login.microsoftonline.com" does not maqtch Host/X-Forwarded-Host header values or server's CORS-trusted hosts, consider adding "Origin: https://myteamcityurl.com" header.

I can't see a place from the plug-in configuration to add this header and it worked in TC 10.0.5 perfectly fine.

ElvenSpellmaker commented 7 years ago

Just for clarification so anyone else is clear on the workaround (I believe it's a workaround and not the fix) for this, this is because TeamCity 2017.1.1 adds a CSRF Protection feature which checks origins of requests to their REST API (and other endpoints).

I started by doing a google search for "teamcity add cors host" and the third result down (it links to TCD9 but there's a link to 10 from the page): https://confluence.jetbrains.com/display/TCD10/CSRF+Protection

By reading: https://confluence.jetbrains.com/display/TCD10/REST+API#RESTAPI-CORSSupport I found out that I need to add https://login.microsoftonline.com to the cors list in the internal properties.

These can be edited in the UI as described here: https://confluence.jetbrains.com/display/TCD10/Configuring+TeamCity+Server+Startup+Properties#ConfiguringTeamCityServerStartupProperties-TeamCityinternalproperties

goatmale commented 7 years ago

Lifesaver ^ I added this as shown below: rest.cors.origins=https://login.microsoftonline.com

ElvenSpellmaker commented 7 years ago

This is hopefully patched in 2017.1.2 as described here: https://youtrack.jetbrains.com/issue/TW-49729

DALDEI commented 7 years ago

I had a nearly identical problem, Azure was sending "Origin: null" (literally 'null') and got the same error but

403 Forbidden: Respnding with 403 status code due to failed CSRF check: request's "Origin" header value "null" does not maqtch Host/X-Forwarded-Host header values or server's CORS-trusted hosts,

The first suggestion didnt work, on a wile whim I took a stab and guessed "originS" meant more then one, and guessed comma seperated .

rest.cors.origins=null,https://login.microsoftonline.com

Bingo Worked !

dtretyakov commented 6 years ago

Modern browsers could set Origin: null header while replying from HTTPS Azure endpoint to the HTTP URL of TeamCity server. See more details at the https://github.com/JetBrains/teamcity-azure-active-directory#known-issues

Please let me know if you are using TeamCity 2017.1.2+ with HTTPS URL and still need to specify rest.cors.origins=null property in your setup.