search cancel

OpenID connect claims userinfo endpoint fails with OAuth 2.0 Test Client

book

Article ID: 133836

calendar_today

Updated On:

Products

API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway CA API Gateway

Issue/Introduction

When testing the OAuth 2.0 Test Client. After getting the access token, clicking the Claims button could not get any request to the Gateway.

There is no error received on the gateway however, when viewing the web browser console, we get the following errors:

Uncaught TypeError: Cannot set property 'className' of null at bcp?state=view&code=5421e65d-7f63-4b07-a6f0-20923f2c1fbe:497:8443/favicon.ico:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error)

bcp?state=view&code=5421e65d-7f63-4b07-a6f0-20923f2c1fbe:1 Refused to frame 'https://gateway1.l7tech.com:8443/' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.


Cause

The common reason for this error:

Refused to frame 'https://gateway1.l7tech.com:8443/' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

The browser is unable to send the request to the userinfo endpoint if the Gateway is within the DMZ. 

Environment

Release :

Component : API GATEWAY

Resolution

To resolve this:

-Edit the "OTK Security Header Extension" policy in the Internal Gateway.

-Edit the contents of the assertion:

Response: Add HTTP Header Content-Security-Policy:default-src 'self'; script-src *.googleapis.com 'unsafe-inline'; img-src * data:; style-src 'unsafe-inline'; font-src * data:;

with the following content:

default-src 'self' https://Your_Gateway_Hostname_FQDN:8443; script-src *.googleapis.com 'unsafe-inline'; img-src * data:; style-src 'unsafe-inline'; font-src * data:;

-Save and Activate