Forum Discussion

Daniel_W__13795's avatar
Daniel_W__13795
Icon for Nimbostratus rankNimbostratus
Aug 28, 2017

CORS Header for OAUTH2 APM

Hello,

we are evaluating APM for OAUTH2, running on v13.0 HF2. One of our dev teams is building a single page application that wants to use grant type "password". Therfore, they need to have CORS headers (Access-Control-Allow-Origin) on the token endpoint /f5-oauth2/v1/token

If the header is not applied, they see an error: XMLHttpRequest cannot load https://oauth.mydomain.de/f5-oauth2/v1/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://app.mydomain.de' is therefore not allowed access.

I tried to add the header in HTTP_RESPONSE, but this seems not to be applied to the traffic. My workarond is to have a layered VS that applies the Header and forwards to the APM VS.

Is there a more elegant solution for that?

when HTTP_REQUEST {
        unset -nocomplain cors_origin
        if { [HTTP::header "Origin"] contains "mydomain.de" } {
            set cors_origin [HTTP::header "Origin"]
            log local0. "CORS Origin seen: [HTTP::header "Origin"]"
        }
    }

when HTTP_RESPONSE {
         CORS GET/POST response - check cors_origin variable set in request
        if { [info exists cors_origin] } {
            HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
            log local0. "CORS Header sent: Access-Control-Allow-Origin $cors_origin"
       }
    }
BIG-IP Access Policy Manager (APM)
iRules
security
  • J_Castro's avatar
    J_Castro
    Icon for Nimbostratus rankNimbostratus
    Mar 14, 2018

    We are having the same issue, at this time we have two virtual servers in a layered fashion and one of them is just for adding headers in the response.

     

    Our approach is now using Open-id, so we are seeing that F5 does not add the headers at their own responses in the oauth URLs, EJ. {fqdn}/.well-known/openid-configuration

     

    At this time, the solution for me is changing in someway the f5 internal server (apache) to add CORS response headers at any of the responses, but I don't know how, yet.

     

    By th way, the iRule in this case, where we are using Open-id, will not work because the HTTP::Response will trigger only if the traffic comes from the server side. In this case, the Open-id portal and Oauth services run only in the client side.

     

    • Daniel_W__13795's avatar
      Daniel_W__13795
      Icon for Nimbostratus rankNimbostratus
      Mar 29, 2018

      Hi,

      I solved the issue without layered VS. I't simply using HTTP_RESPONSE_RELEASE instead of HTTP_RESPONSE

      when CLIENT_ACCEPTED {
 ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {
    unset -nocomplain cors_origin
    if { [HTTP::header "Origin"] contains "mydomain.com" } {
        set cors_origin [HTTP::header "Origin"]
        log local0. "CORS Origin seen: [HTTP::header "Origin"]"
    }
}

when HTTP_RESPONSE_RELEASE {
     CORS GET/POST response - check cors_origin variable set in request
    if { [info exists cors_origin] } {
        HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
    log local0. "CORS Header sent: Access-Control-Allow-Origin $cors_origin"
   }
}
      • daren's avatar
        daren
        Icon for Nimbostratus rankNimbostratus
        Jul 29, 2019

        I am trying to use this on my LTM with APM I want a single VS if possible. But this gets stuck on preflight. any ideas?

  • J_Castro_190752's avatar
    J_Castro_190752
    Icon for Nimbostratus rankNimbostratus
    Mar 14, 2018

    We are having the same issue, at this time we have two virtual servers in a layered fashion and one of them is just for adding headers in the response.

     

    Our approach is now using Open-id, so we are seeing that F5 does not add the headers at their own responses in the oauth URLs, EJ. {fqdn}/.well-known/openid-configuration

     

    At this time, the solution for me is changing in someway the f5 internal server (apache) to add CORS response headers at any of the responses, but I don't know how, yet.

     

    By th way, the iRule in this case, where we are using Open-id, will not work because the HTTP::Response will trigger only if the traffic comes from the server side. In this case, the Open-id portal and Oauth services run only in the client side.

     

    • Daniel_W__13795's avatar
      Daniel_W__13795
      Icon for Nimbostratus rankNimbostratus
      Mar 29, 2018

      Hi,

      I solved the issue without layered VS. I't simply using HTTP_RESPONSE_RELEASE instead of HTTP_RESPONSE

      when CLIENT_ACCEPTED {
 ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {
    unset -nocomplain cors_origin
    if { [HTTP::header "Origin"] contains "mydomain.com" } {
        set cors_origin [HTTP::header "Origin"]
        log local0. "CORS Origin seen: [HTTP::header "Origin"]"
    }
}

when HTTP_RESPONSE_RELEASE {
     CORS GET/POST response - check cors_origin variable set in request
    if { [info exists cors_origin] } {
        HTTP::header insert "Access-Control-Allow-Origin" $cors_origin
    log local0. "CORS Header sent: Access-Control-Allow-Origin $cors_origin"
   }
}