Hi Piyush,
Regrettably, there is an issue with the CORS YAML processing which we will only be able to resolve via the support process.
In the mean time, I do have something that you can use today. It is still possible to specify an equivalent to what your YAML was expressing by using the "advanced" configuration.
Try removing the "policies/cors" from your YAML and adding this "advanced" entry. "advanced" is a top-level entry so you can just append it to the end of your current YAML.
advanced:
configuration:
- stanza: "cors-policy:cors_policy_A"
entry: "request-match"
operation: "add"
value:
- "[api-customer.team-service.svc.cluster.local]GET /api-customer HTTP/*"
- "[api-customer.team-service.svc.cluster.local]POST /api-customer HTTP/*"
- "[api-customer.team-service.svc.cluster.local]OPTIONS /api-customer HTTP/*"
- stanza: "cors-policy:cors_policy_A"
entry: "allow-origin"
operation: "add"
value:
- "https://testdomain.com"
- "https://www.testdomain.com"
- stanza: "cors-policy:cors_policy_A"
entry: "handle-pre-flight"
operation: "add"
value: true
- stanza: "cors-policy:cors_policy_A"
entry: "allow-credentials"
operation: "add"
value: true
- stanza: "cors-policy:cors_policy_A"
entry: "max-age"
operation: "add"
value: 600
- stanza: "cors-policy:cors_policy_A"
entry: "allow-header"
operation: "add"
value:
- "Origin"
- "Content-Type"
- "Access-Control-Allow-Headers"
- "Authorization"
- "X-Requested-With"
- stanza: "cors-policy:cors_policy_A"
entry: "allow-method"
operation: "add"
value:
- "create"
- "update"
You may notice that the entry names are slightly different, these are the entry names used in the underlying reverse proxy in IAG, which is very similar to the reverse proxy in Verify Access. (You can see Verify Access' reference for these entries here: https://www.ibm.com/docs/en/sva/10.0.4?topic=reference-cors-policypolicy-name-stanza)
I have included an example request/response below which I hope you will find useful:
$ curl -v -k https://iag/api-customer -X OPTIONS \
-H "access-control-request-method: create" \
-H "access-control-request-headers: origin, x-requested-with" \
-H "origin: https://www.testdomain.com" \
-H "host: api-customer.team-service.svc.cluster.local"
...
> OPTIONS /api-customer HTTP/2
> Host: api-customer.team-service.svc.cluster.local
> user-agent: curl/7.81.0
> accept: */*
> access-control-request-method: create
> access-control-request-headers: origin, x-requested-with
> origin: https://www.testdomain.com
>
...
< HTTP/2 204
< p3p: CP="NON CUR OTPi OUR NOR UNI"
< access-control-allow-origin: https://www.testdomain.com
< access-control-allow-methods: create, update
< access-control-allow-headers: Origin, Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With
< access-control-max-age: 600
< access-control-allow-credentials: true
< strict-transport-security: max-age=31536000; includeSubDomains
<
Let me know if you encounter any difficulties with this alternative configuration.
Thanks,
------------------------------
Keiran Robinson
IBM Application Gateway Development
IBM Security Verify Access Development
IBM Security
------------------------------
Original Message:
Sent: Tue October 11, 2022 11:04 AM
From: Piyush Agrawal
Subject: IAG - Cors Policy - Redirect is not allowed for a preflight request
Hello,
We need an urgent support to understand what we are doign wrong in following case.
We have started working on IAG with OIDC setup and our React based frontend after login are requesting APIs which are behind IAG.
Customer Facing Frontent Domain : www.testdomain.com
ISVA Identity Provider : www.testdomain.com
IAG Instance running on : https://security-iag-no.apps-int.testdomain.io/api-customer/v1?fremtidige=true
Error on Browser : Access to fetch at 'https://security-iag-no.apps-int.testdomain.io/api-customer/v1?fremtidige=true' from origin 'https://www.testdomain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
IAG Request log :
11/Oct/2022:14:58:31 +0000 Request from client IP: *.*.*.*, User: unauthenticated, OPTIONS HTTPS://security-iag-no.apps-int.testdomain.io/api-customer/v1?fremtidige=true HTTP/1.1, Response: 302 from -
resource-server-api-customer.yaml looks like following :
version: "21.12"resource_servers: - path: "/api-customer" transparent_path: false connection_type: "tcp" servers: - host: "api-customer.team-service.svc.cluster.local" port: "80" identity_headers: jwt: certificate: "@secrets-store/domainSigner" hdr_name: Authorization claims: - attr: access_token - name: sub attr: AZN_CRED_PRINCIPAL_NAME - attr: source - attr: groups - name: acr attr: AZN_CRED_AUTH_METHOD - attr: common_name name: name - attr: given_name - attr: family_name - attr: email - name: aud text: "urn:liberty" - attr: attest - attr: orig name: amr - attr: dest - attr: iss policies: authorization: - name: "default_deny" paths: - "*" rule: "()" action: "deny" - name: "any_auth_user" methods: - "GET" - "POST" - "PUT" - "OPTIONS" paths: - "/api-customer" rule: "anyauth" action: "permit" cors: - name: cors_policy_A host: "api-customer.team-service.svc.cluster.local" paths: - "/api-customer" method: GET, POST, OPTIONS policy: allow_origins: - testdomain.com - www.testdomain.com handle_pre_flight: true max_age: 600 allow_methods: - update - create allow_credentials: true allow_headers: - Origin - Content-Type - Access-Control-Allow-Headers - Authorization - X-Requested-With rate_limiting: - name: "hard_limit_by_ip" paths: - "/api-customer" methods: - "*" rule: | ip: true capacity: 5 interval: 10 reaction: CLOSE
------------------------------
Piyush Agrawal
https://www.linkedin.com/in/piyush-norway/
Gjensidige Norway
------------------------------