OidcSupport.java doesn't allow CORS requests. Shouldn't it allow CORS requests?

[vamshikrishna83]

Getting below error when trying to execute a login request from Frontend (React + TypeScript) to Backend (Java Helidon MP Service). I have added CORS attributes in helidon application config, and it is being honored for all application requests - except this instance of /oidc/redirect. I was able to make some progress by including CorsSupport handler as part of RoutingRules.

Access to XMLHttpRequest at 'http://localhost:7987/oidc/redirect?code=AgAgYmE2MGQwOGQwYWUzNDhjZGFlNWNhODQ0NTMyMjIxN2EIABDZvnqDDc9zE1bXeAfQgOctAAAAQOK27SgPqB4iaXNvqK-3q6h15tM7075vxJZqfWdC08VecVPDxfY78SgsWC2h96hhOzwsv97-v3y8L_2VlcwXCcE=&state=%2Fsession%2Fsecure' (redirected from 'http://localhost:7987/session/secure') from origin 'http://localhost:9000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Based on my minimal understanding, OidcSupport.update method should be updated so something similar to below, to be able to allow CORS requests to be processed properly.

public void update(Routing.Rules rules) {
    if (enabled) {
        rules.get(oidcConfig.redirectUri(), CorsSupport.builder().allowOrigins("ORIGIN").allowMethods("*").build(), this::processOidcRedirect)
                .any(this::addRequestAsHeader);
    }
}

Environment Details

• Helidon Version: 2.3.3
• Helidon MP
• JDK version: JDK 11
• OS: Windows 10

---

Expected the redirect call from OidcProvider instance should re-direct properly with no errors / issues.

[vamshikrishna83]

On more investigation, looks like CorsSupportHelper.prepareResponse is being called and infact addCorsHeadersToResponse is being added to responseAdapter, but somehow the same is not visible in OidcSupport.processCode method's ServerResponse argument headers data. Not sure on how / where the headers data is being missed out.

When i manually add Allow Origins and Allow Methods headers to the response object in OidcSupport.processCode the request completes properly.

[tomas-langer]

Support for OIDC login in Helidon is intended for applications that run on a single Helidon instance (or with the same "frontend host" and port). Can you please explain the use case here? I think that if you use a frontend application on a different port, you should not use redirects on Helidon server - in this case you should handle the security on frontend, and send the token as part of request headers to Helidon (this is a supported scenario). Another option would be to redirect back to server, and then have a custom endpoint (that your register) that would redirect back to frontend with correct CORS setup.

TL;DR - we do not intend for /oidc/redirect endpoint to support CORS. If your usecase changes our opinion on this, we would look into the solution.

[vamshikrishna83]

@tomas-langer Thanks for your clarification.

Frotend Application --> Frontend Module (My Frontend) --> Backend Module (My Backend)

As shown above, My Frontend Module and Backend Module is part of a bigger application. We have dependency on Helidon only on Backend Module.

User is authenticated in Frontend Application itself. We think of following the approach to fetch the JWT token for the logged-in user as part of the first call to the Backend Module. Subsequent requests related to this session, would make use of the cached JWT token and serve the requests. In this approach, Frontend Module doesn't need to be aware of any details about authentication ./ authorization.

So, your suggested approach to handle redirects in Frontend module doesn't work in this case.

Also, as we already have an existing logged-in user session, we just need to get the first call extract the JWT token and may be we can then store the access_token in Frontend to pass on for other requests. Even in that case, we require the first backend call to extract the JWT token and pass it on to Frontend Module.

[tjquinno]

In looking on the web at other OIDC providers, it seems fairly widespread that they support CORS. In a quick chat, Santiago tends to agree.

As a result, we should probably go ahead and allow users to enable CORS support for our OIDC support.

[tjquinno]

Fixed in 2.x and 3.x.