search cancel

Error: CORS request rejected when Postman reaches SPS OIDC Provider

book

Article ID: 254328

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

When running CA Access Gateway (SPS) as an OIDC provider, when testing using "Postman Web App", the Auth code can be seen, and when this tool tries to get the Access Token with Token Endpoint, the application reports an error:

    Request Body
    grant_type: "authorization_code"
    code: "OGU2NmM0MzktOTA4Mi00ZDkyLTlhODgtNDYwZTVlYmE1MDZlLTdMbS9FUlEwWU0ycWZrUElBd212U1VDZnZQWT0="
    redirect_uri: "https://oauth.pstmn.io/v1/browser-callback"
    client_id: "mobileAPP_AP"
    Error: CORS request rejected: https://sps.mydomain.com/affwebservices/CASSO/oidc/Client/token

 

Environment

 

  CA Access Gateway (SPS) 12.8SP6 on Windows 2016;
    AdoptOpenJDK 11.0.16.8;

 

Cause

 

The SPS traces show:

    Resolving service to handle OIDC CORS Preflight Request, for URI: /affwebservices/CASSO/oidc/Client/token]

From the documentation, the CORSConfiguration ACO parameter should be configured (1). The browser (when accessing Postman) requests CORS parameters (2).

 

Resolution

Configure the ACO CORSConfiguration in order to SPS to return the headers that Postman app needs.

Additional Information

 

(1)

    Cross-Origin Resource Sharing (CORS) Support for OIDC Endpoints

      If CORS is enabled for Authentication URL, SiteMinder verifies
      whether the Origin header is allowed per the CORSConfiguration ACO
      parameter configuration. If the Origin header is not allowed, CORS
      process flow ends. If the Origin header is allowed, SiteMinder
      validates the other configured ACO parameters, and then
      authenticates the user, adds CORS response to the authentication
      response, and redirects to Authorization Endpoint.

    

(2)

    Sec-Fetch-Mode