[Apiman-user] CORS preflight OPTIONS request requires Authorization header
Melih Ozdemirkan
Melih.Ozdemirkan at avivasa.com.tr
Wed Aug 31 10:30:32 EDT 2016
Having CORS policy configured just before than Keycloak OAuth policy did the trick. Many thanks for your help . By the way, it would be good to have this behaviour documented or to have a warning on plugin configuration page.
-----Original Message-----
From: Eric Wittmann [mailto:eric.wittmann at redhat.com]
Sent: Monday, August 29, 2016 3:49 PM
To: Melih Ozdemirkan <Melih.Ozdemirkan at avivasa.com.tr>; apiman-user at lists.jboss.org
Subject: Re: [Apiman-user] CORS preflight OPTIONS request requires Authorization header
Yeah the JIRA you referenced is specifically a problem with CORS on the gateway's own API (not APIs proxied by the gateway).
Do you have the CORS policy configured *before* the Keycloak OAuth policy? I'd have to check the implementation, but I would think that pre-flight (options) requests would return an immediate reponse (by the CORS plugin) and thus never reach the OAuth policy. If that's not happening, then perhaps that is a bug in the CORS policy...
@msvay - any thoughts on this?
-Eric
On 8/25/2016 3:53 AM, Melih Ozdemirkan wrote:
> I have an API provisioned on APIMAN with Keycloak OAuth Policy and
> CORS Policy (using APIMAN Plugins) . Onclient side, I get the JWT
> token from Keycloak and add authorization header to get request sent
> to APIMAN for my own API. Problem is that APIMAN rejects OPTIONS
> preflight with 401 Unauthorized with message "OAuth2 'Authorization'
> header or 'access_token' query parameter must be provided."
>
>
>
> I am using APIMAN 1.2.7_final . I applied workaround in the JIRA issue
> given below but it didn’t work for me. Does it work for both APIMAN’s
> own rest endpoints and my own API’s. I suppose it is not valid for the
> later one.
>
>
>
> http://lists.jboss.org/pipermail/apiman-user/2016-July/000727.html
>
>
> https://issues.jboss.org/browse/APIMAN-1209
>
>
>
>
>
> *TOKEN REQUEST TO KEYCLOAK*
>
> *General*
>
> Request
> URL:http://localhost:8280/auth/realms/company/protocol/openid-connect/
> token
>
> Request Method:POST
>
> Status Code:200 OK
>
> Remote Address:127.0.0.1:8280
>
>
>
> *Response Headers*
>
> Access-Control-Allow-Credentials:true
>
> Access-Control-Allow-Origin:http://localhost:8080
>
> Access-Control-Expose-Headers:Access-Control-Allow-Methods
>
> Connection:keep-alive
>
> Content-Length:3175
>
> Content-Type:application/json
>
> Date:Thu, 25 Aug 2016 07:22:59 GMT
>
> Server:WildFly/10
>
> X-Powered-By:Undertow/1
>
>
>
> *Request Headers*
>
> Accept:*/*
>
> Accept-Encoding:gzip, deflate
>
> Accept-Language:tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4
>
> Connection:keep-alive
>
> Content-Length:78
>
> Content-Type:application/x-www-form-urlencoded
>
> Host:localhost:8280
>
> Origin:http://localhost:8080
>
> Referer:http://localhost:8080/login-services/login.html
>
> User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
>
> Form Data
>
> view source
>
> view URL encoded
>
> username:username
>
> password:pasword
>
> grant_type:password
>
> client_id:company
>
>
>
>
>
> *GET REQUEST TO API on APIMAN ***
>
> *General*
>
> Request
> URL:http://localhost:8280/apiman-gateway/client/test-services-ws/1.0/g
> etuser/
>
> Request Method:OPTIONS
>
> Status Code:*401 Unauthorized*
>
> Remote Address:127.0.0.1:8280
>
>
>
> *Response Headers*
>
> Connection:keep-alive
>
> Content-Type:application/json
>
> Date:Thu, 25 Aug 2016 07:22:59 GMT
>
> Server:WildFly/10
>
> Transfer-Encoding:chunked
>
> X-Policy-Failure-Code:11005
>
> X-Policy-Failure-Message:*OAuth2 'Authorization' header or
> 'access_token' query parameter must be provided*.
>
> X-Policy-Failure-Type:Authentication
>
> X-Powered-By:Undertow/1
>
>
>
> *Request Headers*
>
> Accept:*/*
>
> Accept-Encoding:gzip, deflate, sdch
>
> Accept-Language:tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4
>
> Access-Control-Request-Headers:authorization
>
> Access-Control-Request-Method:GET
>
> Connection:keep-alive
>
> Host:localhost:8280
>
> Origin:http://localhost:8080
>
> Referer:http://localhost:8080/login-services/login.html
>
> User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
>
>
>
>
>
> İyi Çalışmalar,
>
> * *
>
> *Melih Özdemirkan*
>
> *AvivaSA Emeklilik ve Hayat A.Ş.*
>
> *Kanal ve Entegrasyon Uygulamaları *
>
> *Danışman*
>
> *www.avivasa.com.tr <http://www.avivasa.com.tr/>*
>
> *Saray Mah. Dr. Adnan Büyükdeniz Cad. No:12 34768*
>
> *Ümraniye – İstanbul*
>
>
>
> <https://www.avivasa.com.tr/gelecegini-biriktirenler-kulubu-nedir>
> <https://www.avivasa.com.tr/gelecegini-biriktirenler-kulubu-nedir>
> <https://www.avivasa.com.tr/gelecegini-biriktirenler-kulubu-nedir>
>
> Bu e-postanin içerdigi bilgiler (ekleri dahil olmak üzere) gizlidir.
> Onayimiz olmaksizin üçüncü kisilere açiklanamaz. Bu mesajin
> gönderilmek istendigi kisi degilseniz, lütfen mesaji sisteminizden derhal siliniz.
> AvivaSA Emeklilik ve Hayat A.S. bu mesajin içerdigi bilgilerin
> dogrulugu veya eksiksiz oldugu konusunda bir garanti vermemektedir. Bu
> nedenle bilgilerin ne sekilde olursa olsun içeriginden,
> iletilmesinden, alinmasindan, saklanmasindan sorumlu degildir. Bu
> mesajin bilinen virüslere karsi kontrolleri AvivaSA Emeklilik ve Hayat
> A.S. tarafindan yapilmistir. Ancak internet iletisiminde güvenlik ve
> hatasiz gönderim garanti edilemeyeceginden, mesajin yerine ulasmamasi,
> geç ulasmasi, içeriginin bozulmasi ya da mesajin virüs tasimasi gibi
> problemler olusabilir. AvivaSA Emeklilik ve Hayat A.S. bu tip
> sorunlardan sorumlu tutulmaz. Bu mesajin içerigi yazarina ait olup
> AvivaSA Emeklilik ve Hayat A.S.'nin görüslerini içermeyebilir.
>
> The information contained in this e-mail (including any attachments)
> is confidential. It must not be disclosed to any person without our
> authority. If you are not the intended recipient, please delete it
> from your system immediately. AvivaSA Emeklilik ve Hayat A.S. makes no
> warranty as to the accuracy or completeness of any information
> contained in this message and hereby excludes any liability of any
> kind for the information contained therein or for the information
> transmission, reception, storage or use of such in any way whatsoever.
> This message is scanned for known viruses by AvivaSA Emeklilik ve
> Hayat A.S. But Internet communications cannot be guaranteed to be
> secure or error-free as information could be intercepted, corrupted,
> lost, arrive late or contain viruses. The AvivaSA Emeklilik ve Hayat
> A.S. therefore does not accept liability for any errors or omissions
> in the context of this message which arise as a result of Internet
> transmission. Any opinions expressed in this message are those of the
> author and may not necessarily reflect the opinions of AvivaSA Emeklilik ve Hayat A.S.
>
>
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
[http://www.avivasa.com.tr/i/Assets/AvivaSA_Imza/images//gelecegini_01.png]<https://www.avivasa.com.tr/gelecegini-biriktirenler-kulubu-nedir> [http://www.avivasa.com.tr/i/Assets/AvivaSA_Imza/images//gelecegini_02.png] <https://www.avivasa.com.tr/gelecegini-biriktirenler-kulubu-nedir> [http://www.avivasa.com.tr/i/Assets/AvivaSA_Imza/images//gelecegini_03.png] <https://www.avivasa.com.tr/gelecegini-biriktirenler-kulubu-nedir>
Bu e-postanin içerdigi bilgiler (ekleri dahil olmak üzere) gizlidir. Onayimiz olmaksizin üçüncü kisilere açiklanamaz. Bu mesajin gönderilmek istendigi kisi degilseniz, lütfen mesaji sisteminizden derhal siliniz. AvivaSA Emeklilik ve Hayat A.S. bu mesajin içerdigi bilgilerin dogrulugu veya eksiksiz oldugu konusunda bir garanti vermemektedir. Bu nedenle bilgilerin ne sekilde olursa olsun içeriginden, iletilmesinden, alinmasindan, saklanmasindan sorumlu degildir. Bu mesajin bilinen virüslere karsi kontrolleri AvivaSA Emeklilik ve Hayat A.S. tarafindan yapilmistir. Ancak internet iletisiminde güvenlik ve hatasiz gönderim garanti edilemeyeceginden, mesajin yerine ulasmamasi, geç ulasmasi, içeriginin bozulmasi ya da mesajin virüs tasimasi gibi problemler olusabilir. AvivaSA Emeklilik ve Hayat A.S. bu tip sorunlardan sorumlu tutulmaz. Bu mesajin içerigi yazarina ait olup AvivaSA Emeklilik ve Hayat A.S.'nin görüslerini içermeyebilir.
The information contained in this e-mail (including any attachments) is confidential. It must not be disclosed to any person without our authority. If you are not the intended recipient, please delete it from your system immediately. AvivaSA Emeklilik ve Hayat A.S. makes no warranty as to the accuracy or completeness of any information contained in this message and hereby excludes any liability of any kind for the information contained therein or for the information transmission, reception, storage or use of such in any way whatsoever. This message is scanned for known viruses by AvivaSA Emeklilik ve Hayat A.S. But Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The AvivaSA Emeklilik ve Hayat A.S. therefore does not accept liability for any errors or omissions in the context of this message which arise as a result of Internet transmission. Any opinions expressed in this message are those of the author and may not necessarily reflect the opinions of AvivaSA Emeklilik ve Hayat A.S.
More information about the Apiman-user
mailing list