We have an endpoint in NodeJs application. Before calling endpoint we are authenticating user with OKTA.
The request from source is failing with CORS error on OPTION request.
We are using introspect call in okta to validate access token. Below are the policies we are using
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ServiceCallout async="false" continueOnError="true" enabled="true" name="SC-introspectToken">
<DisplayName>SC-introspectToken</DisplayName>
<Properties/>
<Request clearPayload="true" variable="okta.request">
<Set>
<Headers>
<Header name="content-type">application/x-www-form-urlencoded</Header>
<Header name="cache-control">no-cache</Header>
<Header name="accept">application/json</Header>
</Headers>
<FormParams>
<FormParam name="token">{token}</FormParam>
<FormParam name="token_type_hint">access_token</FormParam>
</FormParams>
<QueryParams>
<QueryParam name="client_id">{client_id}</QueryParam>
</QueryParams>
</Set>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</Request>
<Response>okta.introspection.response</Response>
<HTTPTargetConnection>
<Properties>
<Property name="use.proxy">true</Property>
</Properties>
<!-- <URL>https://dev-79724599.okta.com/oauth2/default/v1/introspect</URL>-->
<URL>https://mmc.oktapreview.com/oauth2/default/v1/introspect</URL>
</HTTPTargetConnection>
</ServiceCallout><?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ExtractVariables async="false" continueOnError="false" enabled="true" name="EV-checkOktaResponse">
<DisplayName>EV-checkOktaResponse</DisplayName>
<Properties/>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<VariablePrefix>extracted</VariablePrefix>
<JSONPayload>
<Variable name="isActiveToken">
<JSONPath>active</JSONPath>
</Variable>
<Variable name="username">
<JSONPath>$.username</JSONPath>
</Variable>
</JSONPayload>
<Source clearPayload="false">okta.introspection.response</Source>
</ExtractVariables><?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ExtractVariables continueOnError="false" enabled="true" name="EV-from-Variable">
<DisplayName>EV-from-Variable</DisplayName>
<VariablePrefix>extracted</VariablePrefix>
<Variable name="extracted.username">
<Pattern>{emplid}@**</Pattern>
</Variable>
</ExtractVariables> <HTTPTargetConnection>
<Properties/>
<URL>https://abc-dev.apigateway.abc.com/worker/{extracted.emplid}</URL>
</HTTPTargetConnection>I have added CORS at target pre-flow response
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="add-cors">
<DisplayName>AM-AddCors</DisplayName>
<FaultRules/>
<Properties/>
<Add>
<Headers>
<Header name="Access-Control-Allow-Origin">{request.header.origin}</Header>
<Header name="Access-Control-Allow-Headers">Authorization, origin, x-requested-with, accept, Content-Type</Header>
<Header name="Access-Control-Max-Age">3628800</Header>
<Header name="Access-Control-Allow-Methods">GET,PUT,POST,DELETE,HEAD,OPTIONS</Header>
</Headers>
</Add>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>This call is failing in on OPTION request with CORS header 'Access-Control-Allow-Origin' missing.
Do we need to take care of CORS in nodejs application or at apigee. If we need to do it in apigee what needs to be done. We have already added below conditions in the below calls.
<Step>
<Name>SC-introspectToken</Name>
<Condition>request.verb != "OPTIONS"</Condition>
</Step>
<Step>
<Name>EV-checkOktaResponse</Name>
<Condition>request.verb != "OPTIONS"</Condition>
</Step>
<Step>
<Name>EV-from-Variable</Name>
<Condition>request.verb != "OPTIONS"</Condition>
</Step>
LinkedIn
Twitter
