I have troubles with CORS error.
I am developing a react app with create-react-app.
I am using axios to fetch data from BE but when I try to fetch I got cors error in chrome:
I tried to disable CORS policy in chrome but nothing is working.
Is very strange because the login route works while the other routes that need a session in header are not working. I tried also to call them through command line CURL and they work as expected.
With the curl command line I dumped the response header and I got:
HTTP/1.1 200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Tue, 12 Oct 2021 13:22:07 GMT
My frontend is in http://localhost:3000 while the backend is in another domain on internet.
What am I doing wrong?
You could either proxy the backend or request the backend to add CORS headers, like Access-Control-Allow-Origin, Access-Control-Allow-Methods,
Access-Control-Allow-Headers
Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
I solved the problem enabling (in BE part) the following headers:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: *
Adding these, the preflight calls succeded and I was able to fetch the API
When following the instructions on the site below, I get stuck in Step 2.
https://developers.google.com/assistant/smarthome/tools/smart-home-test-suite
After clicking on "Exchange authorization code for tokens" I get no codes, but a 401 Unauthorized error.
No idea what is going wrong during this test, because the action itself works fine.
This is the output from the OAuth playground:
Host: oauth.teletask.be
Content-length: 169
content-type: application/x-www-form-urlencoded
user-agent: google-oauth-playground
code=XIspHj&redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&client_id=***********&client_secret=************&scope=&grant_type=authorization_code
HTTP/1.1 401 Unauthorized
X-xss-protection: 1; mode=block
X-content-type-options: nosniff
Transfer-encoding: chunked
Expires: 0
Www-authenticate: Basic realm="oauth2/client"
Server: nginx/1.14.1
Connection: keep-alive
Pragma: no-cache
Cache-control: no-cache, no-store, max-age=0, must-revalidate
Date: Thu, 21 Nov 2019 14:59:59 GMT
Strict-transport-security: max-age=31536000 ; includeSubDomains
Content-type: application/json;charset=UTF-8
X-frame-options: DENY
{
"status": 401,
"timestamp": "2019-11-21T14:59:59.599+0000",
"message": "Unauthorized",
"path": "/auth/oauth/token",
"error": "Unauthorized"
}
That 401 error is being generated by your OAuth server (oauth.teletask.be), specifically the endpoint you entered as the Token endpoint, when it receives the authorization code grant from Google. You should check your server logs to identify more details about why it rejected the request.
Common issues here include rejecting the redirect_uri or client_id because they don't match expected values. It may also be possible that your Authorization code has too short a lifetime and the code expires before you hit the button to exchange it for a token.
I have two applications that I am running locally. A React frontend and a Flask backend. The backend handles all of the OAuth authentication and provides a bunch of end-points for the front-end.
React: http://www.local-app.com:3000/
Flask: http://www.local-app.com/
If I post to the URL http://www.local-app.com/v1/auth/login I get this response data:
Access-Control-Allow-Origin: http://www.local-app.com:3000
Connection: keep-alive
Content-Length: 2
Content-Type: text/html; charset=utf-8
Date: Fri, 08 Nov 2019 03:13:04 GMT
Server: nginx
Set-Cookie: remember_token=username|long_remember_token_here; Expires=Sat, 07-Nov-2020 03:13:04 GMT; Path=/
Set-Cookie: session=long_session_token_here; Domain=.local-app.com; Expires=Mon, 09-Dec-2019 03:13:04 GMT; HttpOnly; Path=/
Vary: Origin
This seems correct to me but the Cookie is never stored on the client no matter what I have tried.
Posting to http://www.local-app.com/v1/auth/login in postman works. The cookie is set and persisted across other end-points.
I think the problem lies with the cookie domain. I have tried setting a proxy and all sorts but nothing has worked.
Any suggestions?
The problem was due to the Flask Cors module overwriting my Nginx CORS configuration. Adding the following code to the Flask app solved the problem for me.
CORS(app, supports_credentials=True)
Thanks Selcuk for pointing me in the right direction.
I have an issue accessing Google Photo API,
I've authenticated successfully in a indows Desktop application following this guide but when I get the authentication Token, I cannot access the API I receive a 403 Forbidden as shown bellow :
{StatusCode: 403, ReasonPhrase: 'Forbidden', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
{
Vary: X-Origin
Vary: Referer
Vary: Origin
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: quic=":443"; ma=2592000; v="44,43,39,35"
Transfer-Encoding: chunked
Accept-Ranges: none
Cache-Control: private
Date: Mon, 20 Aug 2018 19:50:07 GMT
Server: ESF
WWW-Authenticate: Bearer realm="https://accounts.google.com/", error="insufficient_scope", scope="https://www.googleapis.com/auth/photoslibrary https://www.googleapis.com/auth/photoslibrary.appendonly https://www.googleapis.com/auth/photoslibrary.sharing"
Content-Type: application/json; charset=UTF-8
}}
I can see this is related to scopes, and I went through Google's documentation, but I don't know where to make use of these scopes for it to work properly, please can someone help me ?
It might be just angularjs issue! I am very new to the frontend and angularjs.
I have an angularjs sign in service which calls the url '/signin/facebook/' to sign in, it seems the backend is redirected correctly and calling the facebook oauth but I got the follow error.
[Angularjs sign in service]
app.factory('fbSigninService', function($http){
return{
fb_signin:function(scope){
var $promise=$http.post('/signin/facebook/',JSON.stringify(scope));
}
}
});
[error]
XMLHttpRequest cannot load https://www.facebook.com/v1.0/dialog/oauth?client_id=xxxxxxxxxxxxxxx&respon…t%3A8080%2Fsignin%2Ffacebook%2F&state=12431991-7555-4ed4-90b9-728e11c721f0. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access.
so when I click on the link directly from the browser's console from the error, it authenticated fine!
https://www.facebook.com/v1.0/dialog/oauth?client_id=xxxxxxxxxxxxxxx&respon…t%3A8080%2Fsignin%2Ffacebook%2F&state=12431991-7555-4ed4-90b9-728e11c721f0
Update #01
I don't think, javascript suppose to call the facebook auth, the javascript should call the same host '/signin/facebook/' and then the backend should make the facebook auth call???
Update #02 15/Oct/2014
1) I have updated the code to allow cross origin but still getting the same error.
2) when I re-read the error again, it actually saying "facebook"'s doesnt' have 'Access-Control-Allow-Origin' header is present on the requested resource.
So the question is, how am I supposed to call from angularjs -> java api -> redirect to facebook login page?
[Java]
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "x-requested-with");
[Headers]
Request URL:http://localhost:8080/index.html
Request Method:GET
Status Code:200 OK
Request Headersview source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Cookie:JSESSIONID=3BA4D9DBF38686F2AA527BF408D28EC1
Host:localhost:8080
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/31.0.1650.63 Chrome/31.0.1650.63 Safari/537.36
Response Headersview source
Access-Control-Allow-Headers:x-requested-with
Access-Control-Allow-Methods:POST, GET, OPTIONS, DELETE
Access-Control-Allow-Origin:*
Access-Control-Max-Age:3600
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:1839
Content-Type:text/html
Date:Wed, 15 Oct 2014 23:15:01 GMT
Expires:0
Last-Modified:Wed, 08 Oct 2014 22:10:40 GMT
Pragma:no-cache
Server:Apache-Coyote/1.1
X-Application-Context:application
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
Update #03
I am using the Advance REST client to call the '/signin/facebook/', it seems working fine.
Redirect #1
To:https://www.facebook.com/v1.0/dialog/oauth?client_id=273118692865062&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fconnect%2Ffacebook&state=00d8c7ee-e178-4d2b-bc86-500505d5eac2 with status: 302 Show explanation HTTP/1.1 302 Found
Redirection information has not been cached.
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: x-requested-with
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
X-Application-Context: application
Location: https://www.facebook.com/v1.0/dialog/oauth?client_id=273118692865062&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fconnect%2Ffacebook&state=00d8c7ee-e178-4d2b-bc86-500505d5eac2
Content-Language: en-US
Content-Length: 0
Date: Thu, 16 Oct 2014 21:50:21 GMT
Redirect #2
To:http://localhost:8080/connect/facebook?code=AQCq9wnl_LeecAuWkR0D2252YZICiuWiaFeSUqISaUzQ7vfHHWI1sMsqSWO5kpgUQG0URi5NI52UX3zBpKTwj7rnnzQKOnxjUbyxwN-Z3a3rt1G3P84ONaCrsUO-LuM0_bpvROzWzno0pK9_lf-KI5JhqBvWWRGuWGEKz1FKl816rbrEP_nmh97BBM5oW3IYbvjuhKSghINp2ilADgLabMFTC76zN41HRjWE7X1bXGLaXY3EtQG61R5FGo7QV-W9iWtH3PCZw4gP_DByiDdUrObo1OsECWSkdh6q7a-EsuJ_QZe5zqQJbhEf2GHal5AC9YU&state=00d8c7ee-e178-4d2b-bc86-500505d5eac2#_=_ with status: 302 Show explanation HTTP/1.1 302 forced.302
Redirection information has not been cached.
status: 302 forced.302
version: HTTP/1.1
cache-control: private, no-cache, no-store, must-revalidate
content-length: 0
content-security-policy: default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net *.atlassolutions.com chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl;style-src * 'unsafe-inline';connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net wss://*.facebook.com:* ws://*.facebook.com:* http://*.akamaihd.net https://fb.scanandcleanlocal.com:* *.atlassolutions.com http://attachment.fbsbx.com https://attachment.fbsbx.com;
content-type: text/html; charset=utf-8
date: Thu, 16 Oct 2014 21:50:21 GMT
expires: Sat, 01 Jan 2000 00:00:00 GMT
facebook-api-version: v1.0
location: http://localhost:8080/connect/facebook?code=AQCq9wnl_LeecAuWkR0D2252YZICiuWiaFeSUqISaUzQ7vfHHWI1sMsqSWO5kpgUQG0URi5NI52UX3zBpKTwj7rnnzQKOnxjUbyxwN-Z3a3rt1G3P84ONaCrsUO-LuM0_bpvROzWzno0pK9_lf-KI5JhqBvWWRGuWGEKz1FKl816rbrEP_nmh97BBM5oW3IYbvjuhKSghINp2ilADgLabMFTC76zN41HRjWE7X1bXGLaXY3EtQG61R5FGo7QV-W9iWtH3PCZw4gP_DByiDdUrObo1OsECWSkdh6q7a-EsuJ_QZe5zqQJbhEf2GHal5AC9YU&state=00d8c7ee-e178-4d2b-bc86-500505d5eac2#_=_
pragma: no-cache
strict-transport-security: max-age=15552000; preload
x-content-type-options: nosniff
x-fb-debug: ESLliRqmaFv9DBXraKZN4X3FRH36D8lnMegz7e9Udqv5aECkJwU7DiWbQ+g+d9X4G+30cP27b3nCs9BsDIlM6w==
x-frame-options: DENY
x-xss-protection: 0
Redirect #3
To:http://localhost:8080/connect/facebook#_=_ with status: 302 Show explanation HTTP/1.1 302 Found
Redirection information has not been cached.
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: x-requested-with
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
X-Application-Context: application
Location: http://localhost:8080/connect/facebook
Content-Language: en-US
Content-Length: 0
Date: Thu, 16 Oct 2014 21:50:21 GMT
Though am late but I think it can help to an extent.
Spring-social APIs handle all this out of the box. I have created a sample app which uses Spring-social and AngularJS. Its a very basic flow but may help.
spring-social-angularjs-sample
You need to allow requests to outside of your domain (this is a security mechanism enforced by your browser which blocks by default requests to foreign domain addresses - read).
you probably need to configure a rule to allow your client to access Facebook - needs to be added in your server's configuration (not in angular)
how to fix? - django, node, apache, iis, ...
The issue is with cross-origin requests, not the authentication itself. There is no specific configuration in spring social or security modules to handle facebook or any other provider. Answering one of your doubts - yes, the backend should handle all of the dance, you do not have to do anything from your front-end apart from calling the authentication address.
At first, try to authenticate through your server against facebook API by doing the same call as you do from your angular client but using Advanced REST client for Chrome. See the outcome.
Then, I would start with proper implementation of CORS filters in your case. To test that CORS is working at least to some extent, create a controller to handle a POST request and send one from Angular. Test it first without using the Facebook API. If you cannot send a POST, this means you have to change your CORS filters before you proceed with using facebook API for authentication.
If your simple POST works (or, moreover, if it doesn't) please refer to Tomcat documentation for the catalina implementation of Cors Filter http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter . They provide sample configuration of filters which should allow you to get rid of any cors issues (you can add one more header to the cors allowed headers, "Authorization").
If none of these above help you, let me know.