Hi, We are developing a sample application to show customer verify access compliance for open banking, specifically oidc dynamic client registration, so we faced cors policies to allow access verify access from the sample application, we configure a sample cors policy in reverse proxy configuration file as shown:

[cors-policy:apiac_policyA]
handle-pre-flight = true
max-age = 0
allow-credentials = true
allow-origin = *
request-match = POST *
request-match = GET *
request-match = OPTIONS *

Request to introspect endpoint coul be performed without issue as shown in the first screenshot

But request to register endpoint keeps responding with CORS error as shown.

Does anybody faced the same issue? Any clue?
Thanks in advance.
Regards.

------------------------------
David Vicenteño
------------------------------

Hi David,

Did you ever figure this out?  If you did, what was the answer?

If not:
  - It seems odd to me that two (essentially identical) requests would result in one working and one failing.
  - Is there any difference in the way the call is being made from client-side JavaScript?  Can you share the script sample?
  - Also, can you share the response from the pre-flight check in both cases - maybe even a pdweb.debug trace of these?
  - I wonder if @Scott Exton has any ideas.

Jon.
​

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon May 24, 2021 01:28 PM
From: David Vicenteño
Subject: OIDC register endpoint CORS error

Hi, We are developing a sample application to show customer verify access compliance for open banking, specifically oidc dynamic client registration, so we faced cors policies to allow access verify access from the sample application, we configure a sample cors policy in reverse proxy configuration file as shown:

[cors-policy:apiac_policyA]
handle-pre-flight = true
max-age = 0
allow-credentials = true
allow-origin = *
request-match = POST *
request-match = GET *
request-match = OPTIONS *

Request to introspect endpoint coul be performed without issue as shown in the first screenshot

But request to register endpoint keeps responding with CORS error as shown.

Does anybody faced the same issue? Any clue?
Thanks in advance.
Regards.

------------------------------
David Vicenteño
------------------------------

Hi Jon,
I haven't resolved this, I have committed some changes, cors policy in reverse proxy was configured as shown:

[cors-policy:apiac_policyA]
handle-pre-flight = true
max-age = 0
allow-credentials = true
allow-origin = *
request-match = POST /mga/*
request-match = GET /mga/*
request-match = OPTIONS /mga/*
request-match = PUT /mga/*
request-match = DELETE /mga/*
request-match = POST /mga/sps/oauth/oauth20/register/OIDCDefinition
request-match = GET /mga/sps/oauth/oauth20/register/OIDCDefinition
request-match = OPTIONS /mga/sps/oauth/oauth20/register/OIDCDefinition
request-match = PUT /mga/sps/oauth/oauth20/register/OIDCDefinition
request-match = DELETE /mga/sps/oauth/oauth20/register/OIDCDefinition
Access-Control-Allow-Headers = content-type,accept
Access-Control-Expose-Headers = access-control-allow-origin

When I attach "isam oauth unauth" ACL to register endpoint both request "introspect" and "register" are performed without issues.



The above assumes that dynamic clients can be registered without any security, that is, without the need for authentication to carry out the request, right?

If I attach the original ACL ("isam oauth rest") to the register endpoint CORS policy blocked register request again.



I cannot see a "pre-flight" request/response in the "introspection" request.
This is the pre-flight response in this case

Requests to these endpoints are donde with simple xhr request over javascript in the "Introspect" and "myRegistry Functions".


Let me get some time to generate the "pdweb.debug" trace.
Thanks in advance Jon. Regards.

------------------------------
David Vicenteño
------------------------------

Original Message:
Sent: Thu June 24, 2021 03:47 AM
From: Jon Harry
Subject: OIDC register endpoint CORS error

Hi David,

Did you ever figure this out?  If you did, what was the answer?

If not:
  - It seems odd to me that two (essentially identical) requests would result in one working and one failing.
  - Is there any difference in the way the call is being made from client-side JavaScript?  Can you share the script sample?
  - Also, can you share the response from the pre-flight check in both cases - maybe even a pdweb.debug trace of these?
  - I wonder if @Scott Exton has any ideas.

Jon.
​

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon May 24, 2021 01:28 PM
From: David Vicenteño
Subject: OIDC register endpoint CORS error

Hi, We are developing a sample application to show customer verify access compliance for open banking, specifically oidc dynamic client registration, so we faced cors policies to allow access verify access from the sample application, we configure a sample cors policy in reverse proxy configuration file as shown:

[cors-policy:apiac_policyA]
handle-pre-flight = true
max-age = 0
allow-credentials = true
allow-origin = *
request-match = POST *
request-match = GET *
request-match = OPTIONS *

Request to introspect endpoint coul be performed without issue as shown in the first screenshot

But request to register endpoint keeps responding with CORS error as shown.

Does anybody faced the same issue? Any clue?
Thanks in advance.
Regards.

------------------------------
David Vicenteño
------------------------------

Hi David,

It looks like you are using Chrome, which will not always show the pre-flight requests in the developer tools and can lead to confusion while debugging. There is a flag which can be switched that will make the pre-flight requests show up like regular requests, some details can be found in this Chrome support thread: https://support.google.com/chrome/thread/11089651/i-started-getting-cors-errors-after-upgrading-to-v76?hl=en

Additionally, there is a trace component "pdweb.http.cors" which you can turn on in the reverse proxy to observe the server side CORS processing.

Based on the response headers I can see in your network trace, it looks like you are on version 10.0.0.0. The original CORS engine in the reverse proxy did not take effect if the response was a management/error page generated by the reverse proxy, in your case it sounds like the reverse proxy is returning a login/access denied/other error page when "isam oauth rest" is attached.

A recent change was made to the CORS engine so that it would be able to respond correctly when the pre-flight request resulted in a management/error page. This change will be available in the next version of Verify Access which will be available very soon.

------------------------------
Keiran Robinson
IBM Application Gateway Development
IBM Security Verify Access Development
IBM Security
------------------------------

Original Message:
Sent: Thu June 24, 2021 02:59 PM
From: David Vicenteño
Subject: OIDC register endpoint CORS error

Hi Jon,
I haven't resolved this, I have committed some changes, cors policy in reverse proxy was configured as shown:

[cors-policy:apiac_policyA]
handle-pre-flight = true
max-age = 0
allow-credentials = true
allow-origin = *
request-match = POST /mga/*
request-match = GET /mga/*
request-match = OPTIONS /mga/*
request-match = PUT /mga/*
request-match = DELETE /mga/*
request-match = POST /mga/sps/oauth/oauth20/register/OIDCDefinition
request-match = GET /mga/sps/oauth/oauth20/register/OIDCDefinition
request-match = OPTIONS /mga/sps/oauth/oauth20/register/OIDCDefinition
request-match = PUT /mga/sps/oauth/oauth20/register/OIDCDefinition
request-match = DELETE /mga/sps/oauth/oauth20/register/OIDCDefinition
Access-Control-Allow-Headers = content-type,accept
Access-Control-Expose-Headers = access-control-allow-origin

When I attach "isam oauth unauth" ACL to register endpoint both request "introspect" and "register" are performed without issues.



The above assumes that dynamic clients can be registered without any security, that is, without the need for authentication to carry out the request, right?

If I attach the original ACL ("isam oauth rest") to the register endpoint CORS policy blocked register request again.



I cannot see a "pre-flight" request/response in the "introspection" request.
This is the pre-flight response in this case

Requests to these endpoints are donde with simple xhr request over javascript in the "Introspect" and "myRegistry Functions".


Let me get some time to generate the "pdweb.debug" trace.
Thanks in advance Jon. Regards.

------------------------------
David Vicenteño

Original Message:
Sent: Thu June 24, 2021 03:47 AM
From: Jon Harry
Subject: OIDC register endpoint CORS error

Hi David,

Did you ever figure this out?  If you did, what was the answer?

If not:
  - It seems odd to me that two (essentially identical) requests would result in one working and one failing.
  - Is there any difference in the way the call is being made from client-side JavaScript?  Can you share the script sample?
  - Also, can you share the response from the pre-flight check in both cases - maybe even a pdweb.debug trace of these?
  - I wonder if @Scott Exton has any ideas.

Jon.
​

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon May 24, 2021 01:28 PM
From: David Vicenteño
Subject: OIDC register endpoint CORS error

Hi, We are developing a sample application to show customer verify access compliance for open banking, specifically oidc dynamic client registration, so we faced cors policies to allow access verify access from the sample application, we configure a sample cors policy in reverse proxy configuration file as shown:

[cors-policy:apiac_policyA]
handle-pre-flight = true
max-age = 0
allow-credentials = true
allow-origin = *
request-match = POST *
request-match = GET *
request-match = OPTIONS *

Request to introspect endpoint coul be performed without issue as shown in the first screenshot

But request to register endpoint keeps responding with CORS error as shown.

Does anybody faced the same issue? Any clue?
Thanks in advance.
Regards.

------------------------------
David Vicenteño
------------------------------