OAuth2 and CORS

anonymous · November 20, 2014, 12:29am

I have run into this problem a number of times when using the OAuth2 policy for token validation. The issue seems to be that when validation fails and a 401 should be returned it is essentially raising an exception to short circuit the rest of the policies. This seems to include the response for a proxy end point. I added the AddCORS policy to the response and it doesn’t appear to be executed.

When the token is valid I had to add the Preflight Options check and that fixed normal usage. And this works.

My question is: Is there any way to execute the AddCORs policy for the response when the token is expired?

I had read a little bit about changing/writing my own policy to perform validation to change how it proceeds upon exception, but I was hoping to avoid this path. Is this the way I need to proceed?

anonymous · November 25, 2014, 12:57am

If you put the AddCORS policy before your Oauth Verify policy it should still execute. However, once it hits the OAuth policy, it will return a 401, even and especially before hitting your backend.

anonymous · December 1, 2014, 5:56pm

Thanks I will give it a shot!

jovaniac · April 10, 2019, 6:38am

hey guys, I implemented something like that and it served me correctly.

In the proxy enpoint we must place in the preflow the next call of a Flowcallout to invoke a sharedflow which will have the policy of CORS

FC-CORS FC-OAuth2

Definition of flowcallout, where we invoke the sharedflow

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> FC-CORS OPTIONS-CORS-Headers-Response

definition of sharedflow

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> OPTIONS-CORS-Headers-Response request.verb == "OPTIONS"

definition of the policy of raisefull, where we will indicate the headers of Access-Control-Allow-Origin with * that will allow the invocation from our browser

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> OPTIONS CORS Headers Response * origin, x-requested-with, accept, ucsb-api-key, ucsb-api-version, authorization 3628800 GET, PUT, POST, DELETE 200 OK true

angular:

const httpOptions2= { headers:newHttpHeaders({ ‘Authorization’:‘Bearer token’ }) };

obtenerCatalogos():Observable { return this.httpClient.get(uriApigee+‘endpointapigee’,httpOptions2); }

Regars

Topic		Replies	Views
CORS policy in my API proxy when using OAuth 2.0 Apigee api-runtime	10	59	April 10, 2019
trying to call a proxy that requires CORS & Authentication header & OAuthv2 policy Apigee api-runtime	5	37	May 12, 2020
‘Access-Control-Allow-Origin’ missing whenever I add "Verify OAuth v2.0 Access Token" Apigee api-runtime	7	27	March 8, 2020

OAuth2 and CORS

AI Suggested topics