When testing the OAuth 2.0 Test Client. After getting the access token, clicking the Claims button could not get any request to the Gateway.

There is no error received on the gateway however, when viewing the web browser console, we get the following errors:

Uncaught TypeError: Cannot set property 'className' of null at bcp?state=view&code=5421e65d-7f63-4b07-a6f0-20923f2c1fbe:497:8443/favicon.ico:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error)

bcp?state=view&code=5421e65d-7f63-4b07-a6f0-20923f2c1fbe:1 Refused to frame 'https://gateway1.l7tech.com:8443/' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

The common reason for this error:

Refused to frame 'https://gateway1.l7tech.com:8443/' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

The browser is unable to send the request to the userinfo endpoint if the Gateway is within the DMZ. 

Release :

Component : API GATEWAY

To resolve this:

-Edit the "OTK Security Header Extension" policy in the Internal Gateway.

-Edit the contents of the assertion:

Response: Add HTTP Header Content-Security-Policy:default-src 'self'; script-src *.googleapis.com 'unsafe-inline'; img-src * data:; style-src 'unsafe-inline'; font-src * data:;

with the following content:

default-src 'self' https://Your_Gateway_Hostname_FQDN:8443; script-src *.googleapis.com 'unsafe-inline'; img-src * data:; style-src 'unsafe-inline'; font-src * data:;

-Save and Activate