问题
I am having trouble making CORS work at oAuth2's UserInfo endpoint. I want to retrieve claims (UserInfo) by calling the oAuth2 UserInfo resource.
As I understood from stackoverflow post "WSO2 API Manager CORS" ... enabling CORS for oAuth2 resources should be done in the Synapse configuration by adding the CORSRequest handler as described in above stackoverflow link.
I added this CORSRequest handler for Token en Revoke resources ( _TokenAPI_.xml en _RevokeAPI_xml) as described in the above link. And, it worked!
After those additions I discovered also CORS problem in my app, so I did the same procedure by adding the CORSRequestHandler to _UserInfoAPI_.xml (inlcuding a restart on the server wso2server.bat)), but still I am getting the same CORS errors:
XMLHttpRequest cannot load https://localhost:9443/oauth2/userinfo?schema=openid. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access.
I don't understand that CORS is working on my token resource and not working on my userinfo resource ?
Btw, I am not using WSO2 Identity Server, but only using API Manager with oAuth2 capabilities. I checked and I can see that there is no Allows-* headers being sent back to the client (during an OPTIONS preflight) call by my browser(javascript).
Why is the CORSRequestHandler not working if I add this handler in UserInfAPI.xml?
回答1:
Are you sure you used the correct URL which is https://localhost:8243/userinfo for OPTION call?
I just tried, and this is what I got.
bhathiya@bhathiya-x1:/$ curl -v -k -X OPTIONS https://localhost:8243/userinfo
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8243 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 697 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: localhost (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=US,ST=CA,L=Mountain View,O=WSO2,CN=localhost
* start date: Fri, 19 Feb 2010 07:02:26 GMT
* expire date: Tue, 13 Feb 2035 07:02:26 GMT
* issuer: C=US,ST=CA,L=Mountain View,O=WSO2,CN=localhost
* compression: NULL
* ALPN, server did not agree to a protocol
> OPTIONS /userinfo HTTP/1.1
> Host: localhost:8243
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept: */*
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET
< Host: localhost:8243
< Access-Control-Allow-Headers: authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction
< Date: Sun, 23 Oct 2016 14:43:27 GMT
< Transfer-Encoding: chunked
<
If you're using the same URL, please post your complete curl request and response.
来源:https://stackoverflow.com/questions/40201682/cors-is-not-working-on-oauth2-userinfo-endpoint-in-wso2-api-manager