You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The idea behind the auth/status endpoint was to enable integration with SSO server. However, it seem that CORS implementation changed a bit in browsers since then. The problem seem to be that CORS requires clients to setup Origin value to null when doing redirects (302).
Browser is redirected to: https://sso-dev.jboss.org/login?service=http%3A%2F%2F<host-A>%3A8080%2Fv2%2Frest%2Fauth%2Fstatus%3Froles%3Da&gateway=true
Request (note Origin is set to null):
GET /login?service=http%3A%2F%2F<host-A>%3A8080%2Fv2%2Frest%2Fauth%2Fstatus%3Froles%3Da&gateway=true HTTP/1.1
Host: sso-dev.jboss.org
Connection: keep-alive
Accept: */*
Origin: null
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Referer: http://<host-A>/~rysiek/stats.jboss.org/sso-test.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,cs;q=0.6
Cookie: [... bunch of cookies here ...]
Browser redirected to: http://<host-A>:8080/v2/rest/auth/status?roles=a
Request:
GET /v2/rest/auth/status?roles=a HTTP/1.1
Host: <host-A>:8080
Connection: keep-alive
Accept: */*
Origin: null
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Referer: http://<host-A>/~rysiek/stats.jboss.org/sso-test.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,cs;q=0.6
Cookie: JSESSIONID=embUaBfbQVwq9Mpito06iS4N
Response:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Access-Control-Allow-Origin: null
Content-Type: application/json
Transfer-Encoding: chunked
Date: Wed, 01 Jul 2015 15:15:37 GMT
Getting error here:
XMLHttpRequest cannot load http://<host-A>:8080/v2/rest/auth/status?roles=a. Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''. It must be 'true' to allow credentials.
Test 2
Interestingly, the use case where user login to SSO works to some extend. Specifically, the security token is probably created correctly on the Searchisko side but handling of auth/status request flow ends with CORS error anyway on the browser side.
User login into SSO
User access auth/status
Request:
GET /v2/rest/auth/status?roles=a HTTP/1.1
Host: <host-A>:8080
Connection: keep-alive
Cache-Control: max-age=0
Accept: */*
Origin: http://78.11.174.64
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Referer: http://<host-A>/sso-test.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,cs;q=0.6
Cookie: JSESSIONID=l13TvFVX1QVhuNxZeZxHYaq6
Browser is redirected to https://sso-dev.jboss.org/login?service=http%3A%2F%2F<host-A>%3A8080%2Fv2%2Frest%2Fauth%2Fstatus%3Froles%3Da&gateway=true
Request (note Origin is set to null):
GET /login?service=http%3A%2F%2F<host-A>%3A8080%2Fv2%2Frest%2Fauth%2Fstatus%3Froles%3Da&gateway=true HTTP/1.1
Host: sso-dev.jboss.org
Connection: keep-alive
Accept: */*
Origin: null
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Referer: http://78.11.174.64/~rysiek/stats.jboss.org/sso-test.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,cs;q=0.6
Cookie: [... bunch of cookies here ...]
Browser is redirected to: http://<host-A>:8080/v2/rest/auth/status?roles=a&ticket=ST-634-HKcLnzZM0ltBVHJVbG2S-jboss-org-sso
Request:
GET /v2/rest/auth/status?roles=a&ticket=ST-634-HKcLnzZM0ltBVHJVbG2S-jboss-org-sso HTTP/1.1
Host: <host-A>:8080
Connection: keep-alive
Accept: */*
Origin: null
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Referer: http://<host-A>/~rysiek/stats.jboss.org/sso-test.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,cs;q=0.6
Cookie: JSESSIONID=l13TvFVX1QVhuNxZeZxHYaq6
Response:
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Access-Control-Allow-Origin: null
Location: http://<host-A>:8080/v2/rest/auth/status?roles=a
Content-Length: 0
Date: Wed, 01 Jul 2015 14:46:07 GMT
Getting error here:
XMLHttpRequest cannot load http://<host-A>:8080/v2/rest/auth/status?roles=a&ticket=ST-634-HKcLnzZM0ltBVHJVbG2S-jboss-org-sso. Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''. It must be 'true' to allow credentials.
Conclusion
We probably need to rethink/redesign SSO integration.
The text was updated successfully, but these errors were encountered:
The idea behind the
auth/status
endpoint was to enable integration with SSO server. However, it seem that CORS implementation changed a bit in browsers since then. The problem seem to be that CORS requires clients to setupOrigin
value tonull
when doing redirects (302).Similar situation is described here: https://code.google.com/p/chromium/issues/detail?id=154967
There might be relevant test case here: https://w3c-test.org/cors/redirect-origin.htm
Demo
Let's use the following test web page (sso-test.html):
Test 1
Use case where user is not authorized via SSO is as follows:
auth/status
Request:
Response:
https://sso-dev.jboss.org/login?service=http%3A%2F%2F<host-A>%3A8080%2Fv2%2Frest%2Fauth%2Fstatus%3Froles%3Da&gateway=true
Request (note
Origin
is set tonull
):Response:
http://<host-A>:8080/v2/rest/auth/status?roles=a
Request:
Response:
Getting error here:
XMLHttpRequest cannot load
http://<host-A>:8080/v2/rest/auth/status?roles=a
. Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''. It must be 'true' to allow credentials.Test 2
Interestingly, the use case where user login to SSO works to some extend. Specifically, the security token is probably created correctly on the Searchisko side but handling of
auth/status
request flow ends with CORS error anyway on the browser side.auth/status
Request:
Response:
https://sso-dev.jboss.org/login?service=http%3A%2F%2F<host-A>%3A8080%2Fv2%2Frest%2Fauth%2Fstatus%3Froles%3Da&gateway=true
Request (note
Origin
is set tonull
):Response:
http://<host-A>:8080/v2/rest/auth/status?roles=a&ticket=ST-634-HKcLnzZM0ltBVHJVbG2S-jboss-org-sso
Request:
Response:
Getting error here:
XMLHttpRequest cannot load
http://<host-A>:8080/v2/rest/auth/status?roles=a&ticket=ST-634-HKcLnzZM0ltBVHJVbG2S-jboss-org-sso
. Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''. It must be 'true' to allow credentials.Conclusion
We probably need to rethink/redesign SSO integration.
The text was updated successfully, but these errors were encountered: