POST /logout response Forbidden 403 #179
Assignees
Labels
invalid
This doesn't seem right
Comments
ch4mpy
added
invalid
|
I can spot quite a few mistakes above: CORSIf you correctly use a reverse-proxy serving both UI and BFF, CORS configuration is not needed. You are apparently sending a request to your BFF (http://localhost:8080) with http://localhost:1000 as origin. This is wrong. The reason why you need a reverse-proxy serving both UI assets and BFF is that Spring session cookies are flagged with In the tutorial, there is a route for the UI which makes the BFF itself a reverse-proxy for the UI: - id: ui
uri: ${ui-uri}
predicates:
- Path=/ui/**This enough to achieve same origin. You should probably restore this route and point your browser to http://localhost:8080/ui instead of http://localhost:1000. This requires to set const nextConfig = {
basePath: '/ui',
assetPrefix: '/ui',
}You should also probably restore the post-login & post-logout properties to redirect to your UI through the reverse-proxy (the default for a Spring OAuth2 client is itself and redirecting to the BFF will be problematic) CSRFIn the case where the HTTP client you use in Vue does not handle CSRF tokens transparently (like Angular one does), you have to read the |
|
Thanks for the answer, I will try to fix the errors and unsubscribe about the result. |
|
you need something for the reverse-proxy to know that a request is for a Vue asset and that it should be routed to the whatever serves it (Vue dev-server on your dev machine). A path prefix is the easiest solution. Refer to Vite doc for how to set a baseHref (called basePath in next.js, so it's probably the same for Vite), I never used Vite. |
|
I restored the configurations according to the tutorial, set the frontend base path of the application /ui export default defineConfig({
base: '/ui',
// ...
server: {
proxy: {
'/api': 'http://localhost:8080/bff/v1/'
}
},
// ...
})restored Gateway scheme: http
issuer: http://localhost:9090/realms/client
client-id: 'client-id'
client-secret: 'client-secret'
user-name-attribute: 'preferred_username'
gateway-uri: ${scheme}://localhost:${server.port}
api-uri: ${scheme}://localhost:8090/api
ui-uri: ${scheme}://localhost:1000
spring:
security:
oauth2:
client:
provider:
keycloak:
issuer-uri: ${issuer}
user-name-attribute: ${user-name-attribute}
registration:
keycloak:
provider: keycloak
client-id: ${client-id}
client-secret: ${client-secret}
authorization-grant-type: authorization_code
scope:
- openid
- profile
- email
- offline_access
- roles
cloud:
gateway:
default-filters:
- DedupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin
- SaveSession
routes:
# set a redirection from / to the UI
- id: home
uri: ${gateway-uri}
predicates:
- Path=/
filters:
- RedirectTo=301,${gateway-uri}/ui/
# BFF access to greetings API (with TokenRelay replacing session cookies with access tokens)
# To be used by SPAs (Vue app in our case)
- id: api-bff
uri: ${api-uri}
predicates:
- Path=/bff/v1/**
filters:
- TokenRelay=
- StripPrefix=2
- id: ui
uri: ${ui-uri}
predicates:
- Path=/ui/**
com:
c4-soft:
springaddons:
oidc:
ops:
- iss: ${issuer}
authorities:
- path: $.realm_access.roles
username-claim: ${user-name-attribute}
client:
client-uri: ${gateway-uri}
security-matchers:
- /login/**
- /oauth2/**
- /logout
- /bff/**
permit-all:
- /login/**
- /oauth2/**
- /bff/**
cors:
- path: /bff/**
allowed-origin-patterns:
- ${gateway-uri}
- https://localhost/
csrf: cookie-accessible-from-js
login-path: /ui/
post-login-redirect-path: /ui/
post-logout-redirect-path: /ui/
oauth2-redirections:
rp-initiated-logout: NO_CONTENT
resourceserver:
permit-all:
- /
- /login-options
- /ui/**
- /actuator/health/readiness
- /actuator/health/liveness
- /favicon.ico
cors:
- path: /login-options
allowed-origin-patterns:
- ${gateway-uri}
- https://localhost/Current application behavior: BUT i got 500 server error when reach |
|
You don't want a proxy in your Vue conf, the BFF already is the proxy.
It is expected that you get an exception on the BFF when you try to get |
|
I have removed the proxy in the Vue configuration. Current status of request execution: Please note that there is no /ui in your example Also added |
|
Am I supposed to teach you programming or do your job (for free)? Also, should I really repeat myself?
|
|
I apologize for the annoyance, the last thing I wanted to say is that I understood you perfectly, about the need to log into the browser As for the |
|
Everything worked as it should, it turns out the frontend application needed to be launched |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Frontend (SPA / Vue.js 3)
Describe the bug
I'm following the bff turorial, and it looks like there was a problem implementing the logout.
First I saw a warning about CORS policy:
I'm not really sure if I did it right, but I did it like this:
application.yaml (Gateway)
After that, I started getting a new error when I requested it:
The request is ended with a 403 FORBIDDEN code and the response is:
An expected CSRF token cannot be found.This leads to NOT triggering the logout process for providers.
From example
As I understand it, cookies are not sent with this policy, how should I correctly implement the /logout request so that everything works "as it should"?
The text was updated successfully, but these errors were encountered: