Trying to do some authorization - Forum - OpenEdge General - Progress Community

Trying to do some authorization

 Forum

Trying to do some authorization

This question is not answered

11.7

This is probable a bit no-Progress relatet, but  hopefully I can get some info.

It is HTML....

Doing some authentication I am receiving an Return to Our redirect_url:

minside.no/test.html

I am trying to do something like this:

JavaScript:

myParam = "&response_type=code&client_id=oidc_ovf&scope=openid profile&state=" + getURLparam('state') + "&redirect_uri=" + encodeURI("minside.no/test.html");
getToken("oidc-ver1xxxxxxxn-oidc-provider/token",myParam);

:

:

function getToken(inUrl,inParam){
   $.ajax({
     type:"POST",
  url:inUrl,
  data: $(this).serialize() + inParam,
  success: function(data) { window.alert("Success:" + data);}
  });
      };            

All Replies
  • Ups, I can see that I forgot to ask my question, sorry....

    I get this error, that seems to be related to CORS, but I am not sure how to get this right.

    When I do the POST, it seems like the method is changed to OPTIONS, and that is forbidden by the receiver.

    ____________

    jquery.min.js:4 OPTIONS oidc-ver1.difi.no/.../token 403 (Forbidden)

    __________________

    Failed to load oidc-ver1.difi.no/.../token: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://minside.ovf.no' is therefore not allowed access. The response had HTTP status code 403.

    ________________

    How can I solve this?

    I know our domain has a bigIP system that translate official ip:port to internal IP:port. Could that be a problem related to this?

  • Goto oeablSecurity.properties (either in the conf director or in WEB-INF of your webapp) and locate `OECORSFilter.allowDomains=`. Set the correct domain there. This would probably be "minside.ovf.no".

  • It is pure HTML/javascript, so eoablSecurity is not in play, and minside.no is our side, and  oidc-ver1.difi.no is the security site who seems to reject us.

  • Tutorial on using CORS (& jQuery):

    www.html5rocks.com/.../

  • Some web page on their site (oidc-ver1.difi.no) make a request on your site and the response you send back doesn't have the necessary CORS headers or it doesn't white list their domain (difi.no). If you are in control of the response there you just need to send the appropriate headers back in that request so the client does not complain about CORS.
       
    Marian Edu

    Acorn IT 
    +40 740 036 212

  • After strugeling some hours now, I am still not Close to a solution. Is there anyone that could help geting me to understand this (or fix it) I will gladly pay the time it takes.

    my latest attempt:

    xhr.open(method, url, true);

           xhr.setRequestHeader('Authorization','Bearer ' + getURLparam('code') );  

    //    xhr.setRequestHeader('Access-Control-Allow-Headers','Content-Type, Accept, X-Requested-With, Session');  

    // xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');  

    xhr.setRequestHeader('Access-Control-Allow-Origin','*');

    xhr.setRequestHeader('Access-Control-Allow-Methods','GET, POST, PATCH, PUT, DELETE, OPTIONS');

    xhr.setRequestHeader('Access-Control-Allow-Headers','Origin, Content-Type, X-Auth-Token');

    Still no GO.

    //Geir Otto

  • Anyone that could point me to a site where I could find some people for hire to fix this problem for me??

  • You don't need to set the headers on the XMLHttpRequest when calling the external api service, you need to set the headers on your server that returns that web page where you make the XMLHttpRequest so your server tells the client browser it is allowed to make requests to other servers than the origin (your server).

    Now, if that is a static page then you need to set the headers on the web server so this depends on what web server you use there... or if it's a dynamic page (asp, php, webspeed) you can set the headers as you build the page.

    header('Access-Control-Allow-Origin: oidc-ver1.difi.no');
    header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS');
    header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token');


    Marian Edu

    Acorn IT 
    +40 740 036 212

  • Marian,

    The client is loging in to minside.ovf.no/index.html. This webserver is reached behind a proxy that probably does a porttranslation (if that has anything to do with this). The index.html sends a GET to oidc-ver1.difi.no/.../authorize with a respond_url that points to minside.ovf.no/test.html. In test.html, I find code and status and then I need to do a new call to oidc-ver1.difi.no/.../Token that contains a httpheader: "Bearer <auth...code>"  that is the code I get, this is sent using POST. Is it so that difi.no has to do something on their webserver to allow me communicating? As I understand, the errormessage I get is related to the preposting that ajax does regard to CORS. I have a webspeed avail, would it be easier to use that for making the call?

  • I see, so they aren't calling back using xmlhttprequest... it's only you that make calls to them that way, the first one using GET works and you get them to somehow callback to your test.html page. The problem seems to occur when you make a xmlhttprequest from that test.html page back to their server right? How do you receive the authorisation token and how do you send that back, any reason for you to use POST instead of GET?

    What if you use some webspeed page instead of the static one and see what they send back, maybe you can make the post request from the server side instead of using xmlhttprequest. If you look at the network tab in the browser javascript console what is the sequence of requests/redirects that you see? Particularly check the headers sent in first GET response to their server, there should be some CORS related headers.

    Looks like some oauth authentication but I can't get much info from their web site but looks like some eGovernment site. Usually the way it works is if someone lands on you server and you need to do some authorisation then you redirect them to the auth server (difi.no) with your application/client identifiers, they do the login and if all good redirects the user back to your redirect URL and send you some token in the request. Then you can use that token in subsequent requests to difi.no services. Is that something you're trying to implement or is some other flow that you use?
     
    Marian Edu

    Acorn IT 
    +40 740 036 212