在' xxx/.众所周知/openid-configuration'处访问XMLHttpRequest.来自起源' xxxx'已被CORS封锁 [英] Access to XMLHttpRequest at 'xxx/.well-known/openid-configuration' from origin 'xxxx' has been blocked by CORS
问题描述
我正在使用okta oAuth对angular 8应用程序进行身份验证和授权.自从获得"
我在okta受信任来源中添加了重定向URL.由于公司政策,我无法在CORS中添加URL.
我该如何解决CORS问题
从来源'https://localhost:44307'到'https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/.well-known/openid-configuration'的XMLHttpRequest的访问已被阻止通过CORS策略:请求的资源上不存在"Access-Control-Allow-Origin"标头. 但是,在网络中我可以看到
首选方法是将Web域添加到API/受信任来源的Okta中-如.
OIDC客户端中有一个替代选项,它是避免提供授权URL并显式提供重定向端点和令牌签名密钥.https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/.well-known/openid-configuration is causing the issue
I have added the redirect URL in the okta trusted origin. I can't add the URLs in the CORS because of company policy.
How can I solve the issue CORS
Access to XMLHttpRequest at 'https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/.well-known/openid-configuration' from origin 'https://localhost:44307' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
However, in the network I can see
The preferred option is to add your web domain to Okta under API / trusted origins - as in step 7 of my write up
CORS is needed in order to implement open id connect for SPAs to latest security standards via Authorization Code Flow (PKCE).
There is an alternative option in OIDC client, which is to avoid supplying the authority url and supply the redirect endpoint and token signing keys explicitly. An example of this is in my Azure code sample where I prevent a JWKS lookup by supplying the token signing keys explicitly.
However, you will be restricted to the implicit flow, which is no longer recommended, so you are weakening the security of your app - which is not in your company's interests - and also adding considerable complexity to your code.
Maybe as a next step forward my response to your stakeholders - and try to convince them to do the sensible thing of updating to the recommended industry standard security settings
这篇关于在' xxx/.众所周知/openid-configuration'处访问XMLHttpRequest.来自起源' xxxx'已被CORS封锁的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
