search

wso2 / docs-apim

Apache License 2.0
70 stars 395 forks source link

Vague information related to enabling CORS for OAuth Token related Endpoints #4313

Open Sarangan0219 opened 3 years ago

Sarangan0219 commented 3 years ago

Description:

This Enabling CORS for OAuth Token related Endpoints doc is pointing to IS CORS doc to perform the intended configuration. But in the IS doc there is no information related to Enabling CORS for OAuth Token-related Endpoints.

Is there any reason to remove this content from this section and point to the IS docs?

Affected Version:

APIM 4.0.0

Mariangela commented 3 years ago

@isharac, please clarify because it looks like you have made this change.

isharac commented 3 years ago

APIM 4.0.0 gateway no longer proxying the identity endpoints. Therefore we cannot enable cors for the endpoints using XML files. so the invalid content was removed from the 4.0.0 docs space. We need to refer to IDP documentation to find how to do it.

ramindu90 commented 1 year ago

Hi Team,

Even the CORS configuration is added using documentation[1] with APIM-4.2.0, still the i was getting the following error.

Access to XMLHttpRequest as 'https://localhost:9445/oauth2/token' from origin 'http://localhost:3001' has been 
blocked by CORS policy: Response to preflight request doesn't pass access control check: 
No 'Access-Control-Allow-Origin' header is present on the requested resource.

I was able to get it working by referring to SOF[1] by adding 

<bean id="cors-filter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter">
    <property name="allowHeaders">
        <list>
            <value>Authorization</value>
            <value>X-WSO2-Tenant</value>
            <value>content-type</value>
        </list>
    </property>
    <property name="exposeHeaders">
        <list>
            <value>Content-Disposition</value>
        </list>
    </property>
    <property name="allowCredentials" value="true" />
    <property name="allowOrigins"
                value="http://localhost:3000"/>
</bean>

as another been along with the others and

<ref bean="cors-filter" />

under <jaxrs:providers> tag in the /repository/deployment/server/webapps/oauth2/WEB-INF/cxf-servlet.xml and restarting the server.

  1. https://is.docs.wso2.com/en/6.0.0/deploy/configure-cors/#configuring-cors-during-deployment
  2. https://stackoverflow.com/questions/75764225/cors-configuration-not-working-in-wso2-api-manager-for-oauth2-token-api
janithcmw commented 1 year ago

Hi All,

When trying out with the APIM-4.2.0(U26) a similar behaviour was observed relevant to the cors. As per the docs to enforce the cors for the 'token' endpoint the documentation[1] is pointed out under the IS doc space.

But with the suggested configurations it was not possible to allow selected origins in APIM-4.2.0. During the analysis, it was observed that it is required to add the following valve under catalina-server.xml to use the Cors configurations

<Valve className="org.wso2.carbon.identity.cors.valve.CORSValve"/>

But the relevant class was not there in the APIM-4.2.0, so had to add the corresponding jar, 'org.wso2.carbon.identity.cors.mgt.core_5.23.8.jar' to the APIM server and with these two changes was able to use the following configuration effectively in the APIM-4.2.0

[cors]
allow_generic_http_requests = true
allow_any_origin = false
...

Kindly have a look at this pointed scenario.

Best Regards, Janith.