我正在使用okta oAuth对angular 8应用程序进行身份验证和授权。由于获取'https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/.well-known/openid-configuration导致了问题
我在okta受信任来源中添加了重定向URL。由于公司政策,我无法在CORS中添加URL。
我该如何解决CORS问题
access to XMLHttpRequest at 'https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/.well-known/openid-configuration' from origin 'https://localhost:44307' has been blocked by CORS policy: No 'access-control-allow-origin' header is present on the requested resource.
但是,在网络中我可以看到
问题需要更多细节。尤其是预检请求/响应头,请求/响应头。不要使用localhost(因为提到了浏览器问题)和http(因为使用https设置产品需要不同的CORS配置)。
原始卷曲预检:
curl -H "Origin: https://acme.com" \
-H "Access-Control-Request-Method: GET" \
-H "Access-Control-Request-Headers: X-Requested-With,:method" \
-X OPTIONS -k https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/.well-known/openid-configuration \
--silent --verbose 2>&1 | grep Access-Control
=>让您了解请求的内容和返回的内容。
类型CORS!=类型Redirect +有效来源例如是http://localhost:8080,而不是http://localhost:8080/->不清楚如何配置CORS类型。>
首选方法是将您的网络域添加到Okta的API /受信任来源下-如step 7 of my write up
需要CORS才能通过Authorization Code Flow (PKCE)为SPA实现开放式ID连接到最新的安全标准。
OIDC客户端中还有一个替代选项,它是避免提供授权URL并明确提供重定向端点和令牌签名密钥。例如,在my Azure code sample中,我通过显式提供令牌签名密钥来阻止JWKS查找。
但是,您将受到隐式流的限制,不再建议这样做,因此,这将削弱应用程序的安全性-这不符合公司的利益-并为代码增加了相当大的复杂性。
也许下一步是我对您的涉众做出回应-并说服他们做一些明智的事情,将其更新为推荐的行业标准安全设置
,getClientSettings(configuration: IOpenIdOptions): UserManagerSettings {
return {
authority: configuration.authority + '/',client_id: configuration.clientId,redirect_uri: configuration.redirectUri,post_logout_redirect_uri: configuration.redirectUri,response_type: configuration.responseType,// "id_token token",scope: "openid profile email " + configuration.apiResourceId,filterProtocolClaims: true,loadUserInfo: false,automaticSilentRenew: true,monitorSession: true,silent_redirect_uri: configuration.silentRedirectUri,accessTokenExpiringNotificationTime: 20,//default 60
checkSessionInterval: 5000,//default 2000
silentRequestTimeout: 20000,//default: 10000
// When CORS is disabled,token signing keys cannot be retrieved
// Manual the metadata and singinKeys for okta auth
metadata: {
// Magic happen here. Confugure to local host
jwks_uri: configuration.jwksUri,authorization_endpoint: `${configuration.authority}/v1/authorize`,issuer: configuration.authority
},};
}
Appsetting.json
"openId": {
"authority": "https://dev-166545.okta.com/oauth2/xxxxxxxxxxxxxx","clientId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","apiResourceId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","redirectUri": "https://localhost:44307/auth-callback","silentRedirectUri": "https://localhost:44307/assets/silent-renew.html","responseType": "id_token token","jwksUri" : "https://localhost:44307/assets/jwks.json"
}