CORS 不适用于 WSO2 API 管理器中的 oAuth2 UserInfo 端点 [英] CORS is not working on oAuth2 UserInfo endpoint in WSO2 API Manager
问题描述
我无法让 CORS 在 oAuth2 的 UserInfo 端点工作.我想通过调用 oAuth2 UserInfo 资源来检索声明 (UserInfo).
I am having trouble making CORS work at oAuth2's UserInfo endpoint. I want to retrieve claims (UserInfo) by calling the oAuth2 UserInfo resource.
正如我从 stackoverflow 帖子WSO2 API Manager CORS"中了解到的......启用 CORS对于 oAuth2 资源,应在 Synapse 配置中通过添加 CORSRequest 处理程序来完成,如上面的 stackoverflow 链接中所述.如上面链接中所述,我为 Token en Revoke 资源 ( _TokenAPI_.xml en _RevokeAPI_xml) 添加了这个 CORSRequest 处理程序.而且,它奏效了!在这些添加之后,我在我的应用程序中也发现了 CORS 问题,所以我通过将 CORSRequestHandler 添加到 _UserInfoAPI_.xml (包括在服务器 wso2server.bat 上重新启动)来执行相同的过程,但我仍然是得到相同的 CORS 错误:
As I understood from stackoverflow post "WSO2 API Manager CORS" ... enabling CORS for oAuth2 resources should be done in the Synapse configuration by adding the CORSRequest handler as described in above stackoverflow link.
I added this CORSRequest handler for Token en Revoke resources ( _TokenAPI_.xml en _RevokeAPI_xml) as described in the above link. And, it worked!
After those additions I discovered also CORS problem in my app, so I did the same procedure by adding the CORSRequestHandler to _UserInfoAPI_.xml (inlcuding a restart on the server wso2server.bat)), but still I am getting the same CORS errors:
XMLHttpRequest cannot load https://localhost:9443/oauth2/userinfo?schema=openid. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access.
我不明白 CORS 正在处理我的令牌资源而不是处理我的 userinfo 资源?
I don't understand that CORS is working on my token resource and not working on my userinfo resource ?
顺便说一句,我没有使用 WSO2 身份服务器,而是仅使用具有 oAuth2 功能的 API Manager.我检查了一下,我可以看到我的浏览器(javascript)没有将 Allows-* 标头发送回客户端(在 OPTIONS 预检期间).
Btw, I am not using WSO2 Identity Server, but only using API Manager with oAuth2 capabilities. I checked and I can see that there is no Allows-* headers being sent back to the client (during an OPTIONS preflight) call by my browser(javascript).
如果我在 UserInfAPI.xml 中添加此处理程序,为什么 CORSRequestHandler 不起作用?
Why is the CORSRequestHandler not working if I add this handler in UserInfAPI.xml?
推荐答案
你确定你使用了正确的 URL,即 https://localhost:8243/userinfo 来调用 OPTION 吗?
Are you sure you used the correct URL which is https://localhost:8243/userinfo for OPTION call?
我刚试过,这就是我得到的.
I just tried, and this is what I got.
bhathiya@bhathiya-x1:/$ curl -v -k -X OPTIONS https://localhost:8243/userinfo
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8243 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 697 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: localhost (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=US,ST=CA,L=Mountain View,O=WSO2,CN=localhost
* start date: Fri, 19 Feb 2010 07:02:26 GMT
* expire date: Tue, 13 Feb 2035 07:02:26 GMT
* issuer: C=US,ST=CA,L=Mountain View,O=WSO2,CN=localhost
* compression: NULL
* ALPN, server did not agree to a protocol
> OPTIONS /userinfo HTTP/1.1
> Host: localhost:8243
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept: */*
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET
< Host: localhost:8243
< Access-Control-Allow-Headers: authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction
< Date: Sun, 23 Oct 2016 14:43:27 GMT
< Transfer-Encoding: chunked
<
如果您使用相同的 URL,请发布完整的 curl 请求和响应.
If you're using the same URL, please post your complete curl request and response.
这篇关于CORS 不适用于 WSO2 API 管理器中的 oAuth2 UserInfo 端点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
