Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

CORS Header for OAUTH2 APM

Hello,

we are evaluating APM for OAUTH2, running on v13.0 HF2. One of our dev teams is building a single page application that wants to use grant type "password". Therfore, they need to have CORS headers (Access-Control-Allow-Origin) on the token endpoint /f5-oauth2/v1/token

If the header is not applied, they see an error: XMLHttpRequest cannot load https://oauth.mydomain.de/f5-oauth2/v1/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://app.mydomain.de' is therefore not allowed access.

I tried to add the header in HTTP_RESPONSE, but this seems not to be applied to the traffic. My workarond is to have a layered VS that applies the Header and forwards to the APM VS.

Is there a more elegant solution for that?

when HTTP_REQUEST {
        unset -nocomplain cors_origin
        if { [HTTP::header "Origin"] contains "mydomain.de" } {
            set cors_origin [HTTP::header "Origin"]
            log local0. "CORS Origin seen: [HTTP::header "Origin"]"
        }
    }

when HTTP_RESPONSE {
        # CORS GET/POST response - check cors_origin variable set in request
        if { [info exists cors_origin] } {
            HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
            log local0. "CORS Header sent: Access-Control-Allow-Origin $cors_origin"
       }
    }
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

We are having the same issue, at this time we have two virtual servers in a layered fashion and one of them is just for adding headers in the response.

Our approach is now using Open-id, so we are seeing that F5 does not add the headers at their own responses in the oauth URLs, EJ. {fqdn}/.well-known/openid-configuration

At this time, the solution for me is changing in someway the f5 internal server (apache) to add CORS response headers at any of the responses, but I don't know how, yet.

By th way, the iRule in this case, where we are using Open-id, will not work because the HTTP::Response will trigger only if the traffic comes from the server side. In this case, the Open-id portal and Oauth services run only in the client side.

0
Comments on this Answer
Comment made 29-Mar-2018 by Daniel W. 283

Hi,

I solved the issue without layered VS. I't simply using HTTP_RESPONSE_RELEASE instead of HTTP_RESPONSE

when CLIENT_ACCEPTED {
 ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {
    unset -nocomplain cors_origin
    if { [HTTP::header "Origin"] contains "mydomain.com" } {
        set cors_origin [HTTP::header "Origin"]
        log local0. "CORS Origin seen: [HTTP::header "Origin"]"
    }
}

when HTTP_RESPONSE_RELEASE {
    # CORS GET/POST response - check cors_origin variable set in request
    if { [info exists cors_origin] } {
        HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
    log local0. "CORS Header sent: Access-Control-Allow-Origin $cors_origin"
   }
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

THANKS

0