IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  IAG - Cors Policy - Redirect is not allowed for a preflight request

    Posted Tue October 11, 2022 11:05 AM

    Hello,

    We need an urgent support to understand what we are doign wrong in following case.

    We have started working on IAG with OIDC setup and our React based frontend after login are requesting APIs which are behind IAG.



    Customer Facing Frontent Domain : www.testdomain.com

    ISVA Identity Provider : www.testdomain.com

    IAG Instance running on : https://security-iag-no.apps-int.testdomain.io/api-customer/v1?fremtidige=true

    Error on Browser : Access to fetch at 'https://security-iag-no.apps-int.testdomain.io/api-customer/v1?fremtidige=true' from origin 'https://www.testdomain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

    IAG Request log : 

    11/Oct/2022:14:58:31 +0000 Request from client IP: *.*.*.*, User: unauthenticated, OPTIONS HTTPS://security-iag-no.apps-int.testdomain.io/api-customer/v1?fremtidige=true HTTP/1.1, Response: 302 from -

    resource-server-api-customer.yaml looks like following :

    version: "21.12"
    resource_servers:
      - path: "/api-customer"
        transparent_path: false
        connection_type: "tcp"
        servers:
          - host: "api-customer.team-service.svc.cluster.local"
            port: "80"
        identity_headers:
          jwt:
            certificate: "@secrets-store/domainSigner"
            hdr_name: Authorization
            claims:
              - attr: access_token
              - name: sub
                attr: AZN_CRED_PRINCIPAL_NAME
              - attr: source
              - attr: groups
              - name: acr
                attr: AZN_CRED_AUTH_METHOD
              - attr: common_name
                name: name
              - attr: given_name
              - attr: family_name
              - attr: email
              - name: aud
                text: "urn:liberty"
              - attr: attest
              - attr: orig
                name: amr
              - attr: dest
              - attr: iss
        policies:
          authorization:
            - name: "default_deny"
              paths:
                - "*"
              rule: "()"
              action: "deny"
            - name: "any_auth_user"
              methods:
                - "GET"
                - "POST"
                - "PUT"
                - "OPTIONS"
              paths:
                - "/api-customer"
              rule: "anyauth"
              action: "permit"
          cors:
            - name: cors_policy_A
              host: "api-customer.team-service.svc.cluster.local"
              paths:
              - "/api-customer"
              method: GET, POST, OPTIONS
              policy:
                allow_origins:
                - testdomain.com
                - www.testdomain.com
                handle_pre_flight: true
                max_age: 600
                allow_methods:
                - update
                - create
                allow_credentials: true
                allow_headers:
                  - Origin
                  - Content-Type
                  - Access-Control-Allow-Headers
                  - Authorization
                  - X-Requested-With
        rate_limiting:
          - name: "hard_limit_by_ip"
            paths:
              - "/api-customer"
            methods:
              - "*"
            rule: |
              ip: true
              capacity: 5
              interval: 10
              reaction: CLOSE
    



    ------------------------------
    Piyush Agrawal
    https://www.linkedin.com/in/piyush-norway/
    Gjensidige Norway
    ------------------------------


  • 2.  RE: IAG - Cors Policy - Redirect is not allowed for a preflight request

    Posted Tue October 11, 2022 05:36 PM

    Piyush,

     

    This sounds like a configuration issue with your CORS configuration – however it is impossible to say for sure without additional information.  If you need urgent support assistance I would suggest that you raise a support ticket with IBM.

     

    Thanks

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     






  • 3.  RE: IAG - Cors Policy - Redirect is not allowed for a preflight request

    Posted Wed October 12, 2022 07:55 AM
    Thanks Scott, I have just created Case TS010898698 , I am not sure if it is on currect category as I couldn't find IAG as topic

    ------------------------------
    Piyush Agrawal
    https://www.linkedin.com/in/piyush-norway/
    Gjensidige Norway
    ------------------------------



  • 4.  RE: IAG - Cors Policy - Redirect is not allowed for a preflight request

    Posted Wed October 12, 2022 08:32 AM

    The only thing I see is that you are missing "expose_headers" Indicates to clients which headers they expose from the response.
    Also do you want IAG to handle the pre-flight requests? If set to false it will just forward requests to your application server.
    One more thing, for troubleshooting before opening a case, try simplifying then restricting. example method: "*" and path: "*"

    https://docs.verify.ibm.com/gateway/docs/yaml-policies-cors



    ------------------------------
    Robert Graham
    Cloud Security Consultant
    IAM Modernization
    IBM Expert Labs
    US
    ------------------------------



  • 5.  RE: IAG - Cors Policy - Redirect is not allowed for a preflight request

    Posted Wed October 12, 2022 10:10 AM
    Hi Piyush,

    Regrettably, there is an issue with the CORS YAML processing which we will only be able to resolve via the support process.

    In the mean time, I do have something that you can use today. It is still possible to specify an equivalent to what your YAML was expressing by using the "advanced" configuration.

    Try removing the "policies/cors" from your YAML and adding this "advanced" entry. "advanced" is a top-level entry so you can just append it to the end of your current YAML.

    advanced:
      configuration: 
        - stanza:    "cors-policy:cors_policy_A"
          entry:     "request-match"
          operation: "add"
          value: 
            - "[api-customer.team-service.svc.cluster.local]GET /api-customer HTTP/*"
            - "[api-customer.team-service.svc.cluster.local]POST /api-customer HTTP/*"
            - "[api-customer.team-service.svc.cluster.local]OPTIONS /api-customer HTTP/*"
        - stanza:    "cors-policy:cors_policy_A"
          entry:     "allow-origin"
          operation: "add"
          value: 
            - "https://testdomain.com"
            - "https://www.testdomain.com"
        - stanza:    "cors-policy:cors_policy_A"
          entry:     "handle-pre-flight"
          operation: "add"
          value: true
        - stanza:    "cors-policy:cors_policy_A"
          entry:     "allow-credentials"
          operation: "add"
          value: true
        - stanza:    "cors-policy:cors_policy_A"
          entry:     "max-age"
          operation: "add"
          value: 600
        - stanza:    "cors-policy:cors_policy_A"
          entry:     "allow-header"
          operation: "add"
          value: 
            - "Origin"
            - "Content-Type"
            - "Access-Control-Allow-Headers"
            - "Authorization"
            - "X-Requested-With"
        - stanza:    "cors-policy:cors_policy_A"
          entry:     "allow-method"
          operation: "add"
          value: 
            - "create"
            - "update"​


    You may notice that the entry names are slightly different, these are the entry names used in the underlying reverse proxy in IAG, which is very similar to the reverse proxy in Verify Access. (You can see Verify Access' reference for these entries here: https://www.ibm.com/docs/en/sva/10.0.4?topic=reference-cors-policypolicy-name-stanza)

    I have included an example request/response below which I hope you will find useful:

    $ curl -v -k https://iag/api-customer -X OPTIONS \
        -H "access-control-request-method: create" \
        -H "access-control-request-headers: origin, x-requested-with" \
        -H "origin: https://www.testdomain.com" \
        -H "host: api-customer.team-service.svc.cluster.local"
    
    ...
    
    > OPTIONS /api-customer HTTP/2
    > Host: api-customer.team-service.svc.cluster.local
    > user-agent: curl/7.81.0
    > accept: */*
    > access-control-request-method: create
    > access-control-request-headers: origin, x-requested-with
    > origin: https://www.testdomain.com
    >
    
    ...
    
    < HTTP/2 204
    < p3p: CP="NON CUR OTPi OUR NOR UNI"
    < access-control-allow-origin: https://www.testdomain.com
    < access-control-allow-methods: create, update
    < access-control-allow-headers: Origin, Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With
    < access-control-max-age: 600
    < access-control-allow-credentials: true
    < strict-transport-security: max-age=31536000; includeSubDomains
    <
    ​


    Let me know if you encounter any difficulties with this alternative configuration.

    Thanks,

    ------------------------------
    Keiran Robinson
    IBM Application Gateway Development
    IBM Security Verify Access Development
    IBM Security
    ------------------------------