Angular-auth-oidc-client: CORS not enabled on Microsoft well known endpoints
My understanding might be totally wrong. But I wanted to have a discussion around the same.
I was testing the library from ng app hosted on localhost:4200. I am authenticating against Azure AD app (implicit flow). The auth flow gets stuck while getting signing keys.
It appears the some key discovery endpoints (e.g. jwks_uri: https://login.microsoftonline.com/common/discovery/keys, userinfo : https://login.microsoftonline.com/common/openid/userinfo ) do not have CORS enabled. We can not make an XHR request to retrieve information post callback.
Have you guys encountered this error before? am I missing something here?
This is the flow -
- Login method initiates auth url generation
- Round trip to auth url and retrieval of access token, state etc.
- Get signing keys (throws CORS error).
- Post validation, get user information (thrown CORS error after I explicitly tried to skip token validation)
Opened an issue since couldn't find better channel to talk.
Cheers,
Rahul.
r4hulp
All 17 comments
Could this be the same issue
damienbod
on 20 Jun 2017
Aha, that's the one @damienbod.
Now I am wondering, how would we validate response with jwt keys. We also would not get user information from the endpoint.
Would skipping validation and user info collection a right way to go ahead if at all we have to make this compatible with AAD?
Just thinking loud.
r4hulp
on 21 Jun 2017
No, you could download the well known endpoints and access these from the local service. These hardly every change. Seems like the User service from AAD needs the id_token for access which is incorrect...
damienbod
on 21 Jun 2017
The common .well-known point supports CORS. The only problem is other few discovery points. I guess I need to download response from https://login.microsoftonline.com/common/discovery/keys, host it somewhere on my backend and regenerate the entire well-known discovery object with new endpoints that support CORS. Also, the userinfo won't work for AAD.
Hacky way to get rid of userinfo requiring id_token is to wrap up custom user discovery endpoint that uses Microsoft Graph to retrieve user info on my own server and add that URL in my custom wellknown endpoint.
{
authorization_endpoint: "https://login.microsoftonline.com/common/oauth2/authorize",
token_endpoint: "https://login.microsoftonline.com/common/oauth2/token",
token_endpoint_auth_methods_supported: [
"client_secret_post",
"private_key_jwt"
],
jwks_uri: "<custom_keys_discovery_ep>",
response_modes_supported: [
"query",
"fragment",
"form_post"
],
subject_types_supported: [
"pairwise"
],
id_token_signing_alg_values_supported: [
"RS256"
],
http_logout_supported: true,
frontchannel_logout_supported: true,
end_session_endpoint: "https://login.microsoftonline.com/common/oauth2/logout",
response_types_supported: [
"code",
"id_token",
"code id_token",
"token id_token",
"token"
],
scopes_supported: [
"openid"
],
issuer: "https://sts.windows.net/{tenantid}/",
claims_supported: [
"sub",
"iss",
"cloud_instance_name",
"cloud_graph_host_name",
"aud",
"exp",
"iat",
"auth_time",
"acr",
"amr",
"nonce",
"email",
"given_name",
"family_name",
"nickname"
],
microsoft_multi_refresh_token: true,
check_session_iframe: "https://login.microsoftonline.com/common/oauth2/checksession",
userinfo_endpoint: "<custom_userinfo_endpoint>",
tenant_region_scope: null,
cloud_instance_name: "microsoftonline.com",
cloud_graph_host_name: "graph.windows.net"
}
Very hacky imho. :-(
r4hulp
on 25 Jun 2017
Agree, but I don't have any control over the server URLs
damienbod
on 25 Jun 2017
closing this, repoen if you feel we need to do something here.
Thanks Damien
damienbod
on 28 Jun 2017
@r4hulp did you find any solution on this?
g-guth
on 18 Oct 2017
Yes, it was a bug in the http request, it now works
damienbod
on 18 Oct 2017
is {tenant-speciefic}.well-known endpoints working via ajax request for AAD now (version 3.0.1)?
g-guth
on 26 Oct 2017
It works for .well-known but not for /discovery/keys
aminebizid
on 21 Dec 2017
What is your recommended solution for this?
BernhardRode
on 25 Jan 2018
I download the 2 files and add them locally. Then use these. Here's an example:
And the blog:
https://damienbod.com/2018/01/23/using-the-dotnet-angular-template-with-azure-ad-oidc-implict-flow/
Greetings Damien
damienbod
on 25 Jan 2018
@damien you don鈥檛 have any garentee that the endpoints and keys won鈥檛 change. Storing them locally may don鈥檛 work further.
aminebizid
on 26 Jan 2018
@aminebizid yes, this is a problem, and I don't now how often this changes,
What you could also do is use Azure AD B2C.
Here's an example. You need to configure this on Azure.
https://github.com/HWouters/ad-b2c-oidc-angular/blob/master/src/app/app.module.ts
damienbod
on 26 Jan 2018
Cross posted from the oidc-client repo
WARNING: Hacky idea alert!...
Manually fetch https://login.microsoftonline.com/common/discovery/keys and save to your local server. Then make a request to your own server by editing your oidc configuration. Ours looks like this:
export default {
authority: 'https://login.microsoftonline.com/YOUR_TENANT_ID',
client_id: 'MY_CLIENT_ID',
resource: 'MY_CLIENT_ID',
redirect_uri: 'http://localhost:8081/signin-oidc',
response_type: 'id_token token',
metadata: {
// magic happens here!!
jwks_uri: 'http://localhost:8081/jwks.json',
authorization_endpoint: "https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/authorize",
issuer: "https://sts.windows.net/YOUR_TENANT_ID/",
},
scope: 'openid',
loadUserInfo: false,
silent_redirect_uri: 'http://localhost:8081/silent-refresh-oidc.html',
automaticSilentRenew: true,
accessTokenExpiringNotificationTime: 30,
};
tommed
on 2 Nov 2018
They seem to have enabled CORS for their jwks endpoint now. Best to switch over or get caught out like we did with a cached copy of the old keys.
Matt-J-Hosking
on 11 Jul 2019
they did only for the azure AD, b2c tenants still suffer the problem
giuseppe-bertucci
on 11 Sep 2019
Related issues
brentos99
路
4Comments
Expelz
路
4Comments
yelhouti
路
4Comments
jhossy
路
4Comments
Jonesie
路
4Comments