Applying CORS Filter to wso2 Identity Server

When we are invoking an endpoint in oauth2 war from a javascript of a web app which is located in a different domain than identity server domain we are getting "No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://XXXXXXX is therefore not allowed access." The issue is occurring as the script on your page is running from a specifc domain and would try to request the resource via an XmlHttpRequest or XDomainRequst from a different domain as this is a cross -origin request.

In order to get rid of this we need to enable this by sending below header using a custom filter.
 Access-Control-Allow-Origin: http://example.com  
(Here  http://example.com is the domain name of where page with that script is hosted)

Invoking UserInfo endpoint of wso2 Identity Server from JavaScript

We have two possible solutions to apply the CORS header. 

1. Customizing OpenIDConnectUserEndpoint.java as below and replacing the oauth2.war. 
We can introduce below header to getUserClaims(). By applying this filter it allows to invoke OpenIDConnectUserEndpoint from 'http://example.com'
domain. If we put '*' instead of 'http://example.com' it allows to invoke this endpoint from any domain. But it leads to some security risks. 

respBuilder.header("Access-Control-Allow-origin" , 'http://example.com') 
 
Note:Customizing the endpoint to allow cross origin communication and replacing the war is not actually recommended. 

2. Applying CORS Filter 

We have a cors-filter [1][2] which is already used in oauth webapp of wso2 Identity Server and we need to do following configuration changes to web.xml located in {Product_Home}/repository/deployment/server/webapps/oauth2/WEB-INF in order to add above mentioned header.

Enable to CORS filter for oauth webapp by adding the filter configuration to web.xml as below.

<filter>
        <filter-name>CORS</filter-name>
        <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>

        <init-param>
                <param-name>cors.allowOrigin</param-name>
                <param-value>http://example.com</param-value>
        </init-param>
</filter>
<filter-mapping>
  <filter-name>CORS</filter-name>
  <url-pattern>/example.html</url-pattern>
</filter-mapping>
 


You can provide whitespace-separated list of origins that the CORS filter must allow as cors.allowOrigin. But please make sure to not to use wild cards as * as it allows any origin and it may lead to some security vulnerabilities. 

 

In oauth2.war as we have already included the dependency we don't need to separately add it to the pom.xml file. But if you are using another endpoint you need to add the dependency too as below.









Applying CORS Filter to other webapp 



































1.. Add the following module to the dependencies section of pom.xml








 <dependency>
            <groupId>com.thetransactioncompany.wso2</groupId>
            <artifactId>cors-filter</artifactId>
            <version>1.7.0.wso2v1</version>
</dependency>





2.  Enable to CORS filter for webapp by adding the filter configuration to web.xml in {sample_web_app}/src/main/webapp/WEB-INF directory as above mentioned in the second approach.


 


  













































Comments











Post a Comment



















Popular posts from this blog









JWKS endpoint of wso2 IS





















 What is JWKS endpoint?   The JSON Web Key Set (JWKS) endpoint is a read-only endpoint. This url returns the Identity Server's public key set in Json web key set format. This contains the signing key(s) the RP uses to validate signatures from the Identity Server. This endpoint is defined loosely by the  OpenID Connect Discovery specification .     Try JWKS endpoint with Identity Server    The endpoint url for the super tenant:   https://localhost:9443/oauth2/jwks     The jwks for the super tenant will be as follows:  { "keys" : [   {     "alg" : "RS256" ,     "kty" : "RSA" ,     "use" : "sig" ,     "n" : " AJSn-hXW9Zzz9ORBKIC9Oi6wzM4zhqwHaKW2vZAqjOeLlpUW7zXwyk4tkivwsydPNaWUm-9oDlEAB2lsQJv7jwWNsF7SGx5R03kenC-cf8Nbxlxwa-Tncjo6uruEsK_Vke244KiSCHP8BOuHI-r5CS0x9edFLgesoYlPPFoJxTs5 " ,     "e" : "AQAB" ,     "kid" : " d0ec514a32b6f88c0abd12a2840699bdd3deba9d "








Read more










DCR VS DCRM with WSO2 Identity server




















Image







 What is DCR (Dynamic Client Registration)    Dynamic Client registration is a protocol which allows OAuth clients to register applications in an authorization server. Before this mechanism which is introduced from the spec [1] the client registration happened manually. With this implementation the client registration could be done in two ways.       - A client can be registered dynamically with the authorization server itself    - A programmer can register a client programmatically.     Following is the protocol flow of DCR       1. A client sends a registration request with as follows. This should be a post request.   2. Server sends information response with 201 created.        Request :     POST   https://localhost:9443/api/identity/oauth2/dcr/v1.0/register HTTP/1.1   Authorization : Basic   YWRtaW46YWRtaW4=   Content-Type :   application/json   Content -Length :   114   Host: localhost :9443     {      "redirect_uris" : [        " http://localhost"      ],     








Read more