[Apiman-user] CORS preflight OPTIONS request requires Authorization header
Eric Wittmann
eric.wittmann at redhat.com
Mon Aug 29 08:48:54 EDT 2016
Yeah the JIRA you referenced is specifically a problem with CORS on the
gateway's own API (not APIs proxied by the gateway).
Do you have the CORS policy configured *before* the Keycloak OAuth
policy? I'd have to check the implementation, but I would think that
pre-flight (options) requests would return an immediate reponse (by the
CORS plugin) and thus never reach the OAuth policy. If that's not
happening, then perhaps that is a bug in the CORS policy...
@msvay - any thoughts on this?
-Eric
On 8/25/2016 3:53 AM, Melih Ozdemirkan wrote:
> I have an API provisioned on APIMAN with Keycloak OAuth Policy and CORS
> Policy (using APIMAN Plugins) . Onclient side, I get the JWT token from
> Keycloak and add authorization header to get request sent to APIMAN for
> my own API. Problem is that APIMAN rejects OPTIONS preflight with 401
> Unauthorized with message "OAuth2 'Authorization' header or
> 'access_token' query parameter must be provided."
>
>
>
> I am using APIMAN 1.2.7_final . I applied workaround in the JIRA issue
> given below but it didn’t work for me. Does it work for both APIMAN’s
> own rest endpoints and my own API’s. I suppose it is not valid for the
> later one.
>
>
>
> http://lists.jboss.org/pipermail/apiman-user/2016-July/000727.html
>
>
> https://issues.jboss.org/browse/APIMAN-1209
>
>
>
>
>
> *TOKEN REQUEST TO KEYCLOAK*
>
> *General*
>
> Request
> URL:http://localhost:8280/auth/realms/company/protocol/openid-connect/token
>
> Request Method:POST
>
> Status Code:200 OK
>
> Remote Address:127.0.0.1:8280
>
>
>
> *Response Headers*
>
> Access-Control-Allow-Credentials:true
>
> Access-Control-Allow-Origin:http://localhost:8080
>
> Access-Control-Expose-Headers:Access-Control-Allow-Methods
>
> Connection:keep-alive
>
> Content-Length:3175
>
> Content-Type:application/json
>
> Date:Thu, 25 Aug 2016 07:22:59 GMT
>
> Server:WildFly/10
>
> X-Powered-By:Undertow/1
>
>
>
> *Request Headers*
>
> Accept:*/*
>
> Accept-Encoding:gzip, deflate
>
> Accept-Language:tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4
>
> Connection:keep-alive
>
> Content-Length:78
>
> Content-Type:application/x-www-form-urlencoded
>
> Host:localhost:8280
>
> Origin:http://localhost:8080
>
> Referer:http://localhost:8080/login-services/login.html
>
> User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
>
> Form Data
>
> view source
>
> view URL encoded
>
> username:username
>
> password:pasword
>
> grant_type:password
>
> client_id:company
>
>
>
>
>
> *GET REQUEST TO API on APIMAN ***
>
> *General*
>
> Request
> URL:http://localhost:8280/apiman-gateway/client/test-services-ws/1.0/getuser/
>
> Request Method:OPTIONS
>
> Status Code:*401 Unauthorized*
>
> Remote Address:127.0.0.1:8280
>
>
>
> *Response Headers*
>
> Connection:keep-alive
>
> Content-Type:application/json
>
> Date:Thu, 25 Aug 2016 07:22:59 GMT
>
> Server:WildFly/10
>
> Transfer-Encoding:chunked
>
> X-Policy-Failure-Code:11005
>
> X-Policy-Failure-Message:*OAuth2 'Authorization' header or
> 'access_token' query parameter must be provided*.
>
> X-Policy-Failure-Type:Authentication
>
> X-Powered-By:Undertow/1
>
>
>
> *Request Headers*
>
> Accept:*/*
>
> Accept-Encoding:gzip, deflate, sdch
>
> Accept-Language:tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4
>
> Access-Control-Request-Headers:authorization
>
> Access-Control-Request-Method:GET
>
> Connection:keep-alive
>
> Host:localhost:8280
>
> Origin:http://localhost:8080
>
> Referer:http://localhost:8080/login-services/login.html
>
> User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
>
>
>
>
>
> İyi Çalışmalar,
>
> * *
>
> *Melih Özdemirkan*
>
> *AvivaSA Emeklilik ve Hayat A.Ş.*
>
> *Kanal ve Entegrasyon Uygulamaları *
>
> *Danışman*
>
> *www.avivasa.com.tr <http://www.avivasa.com.tr/>*
>
> *Saray Mah. Dr. Adnan Büyükdeniz Cad. No:12 34768*
>
> *Ümraniye – İstanbul*
>
>
>
> <https://www.avivasa.com.tr/gelecegini-biriktirenler-kulubu-nedir>
> <https://www.avivasa.com.tr/gelecegini-biriktirenler-kulubu-nedir>
> <https://www.avivasa.com.tr/gelecegini-biriktirenler-kulubu-nedir>
>
> Bu e-postanin içerdigi bilgiler (ekleri dahil olmak üzere) gizlidir.
> Onayimiz olmaksizin üçüncü kisilere açiklanamaz. Bu mesajin gönderilmek
> istendigi kisi degilseniz, lütfen mesaji sisteminizden derhal siliniz.
> AvivaSA Emeklilik ve Hayat A.S. bu mesajin içerdigi bilgilerin dogrulugu
> veya eksiksiz oldugu konusunda bir garanti vermemektedir. Bu nedenle
> bilgilerin ne sekilde olursa olsun içeriginden, iletilmesinden,
> alinmasindan, saklanmasindan sorumlu degildir. Bu mesajin bilinen
> virüslere karsi kontrolleri AvivaSA Emeklilik ve Hayat A.S. tarafindan
> yapilmistir. Ancak internet iletisiminde güvenlik ve hatasiz gönderim
> garanti edilemeyeceginden, mesajin yerine ulasmamasi, geç ulasmasi,
> içeriginin bozulmasi ya da mesajin virüs tasimasi gibi problemler
> olusabilir. AvivaSA Emeklilik ve Hayat A.S. bu tip sorunlardan sorumlu
> tutulmaz. Bu mesajin içerigi yazarina ait olup AvivaSA Emeklilik ve
> Hayat A.S.'nin görüslerini içermeyebilir.
>
> The information contained in this e-mail (including any attachments) is
> confidential. It must not be disclosed to any person without our
> authority. If you are not the intended recipient, please delete it from
> your system immediately. AvivaSA Emeklilik ve Hayat A.S. makes no
> warranty as to the accuracy or completeness of any information contained
> in this message and hereby excludes any liability of any kind for the
> information contained therein or for the information transmission,
> reception, storage or use of such in any way whatsoever. This message is
> scanned for known viruses by AvivaSA Emeklilik ve Hayat A.S. But
> Internet communications cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, arrive late or
> contain viruses. The AvivaSA Emeklilik ve Hayat A.S. therefore does not
> accept liability for any errors or omissions in the context of this
> message which arise as a result of Internet transmission. Any opinions
> expressed in this message are those of the author and may not
> necessarily reflect the opinions of AvivaSA Emeklilik ve Hayat A.S.
>
>
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
More information about the Apiman-user
mailing list