CORS error with Google auth provider

ServiceStack Authentication
1

I’m trying to get google auth running with jwt. I am currently getting the following error:

“405 - redirected from authenticate from origin ‘null’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ACCESS-CONTROL-ALLOW-ORIGIN is present on the requested resource”

I am researching the error, but wondered if I’m missing an easy config on the auth provider that would save me some pain.

the CORS feature is enabled on the webservice.

2

Please provide the full HTTP Request/Response errors for the handler + your CorsFeature configuration.

3

Cors Feature configuration is

        host.Plugins.Add(new CorsFeature(
            allowedOrigins: "*",
            allowedMethods: "GET, POST, PUT, DELETE, OPTIONS",
            allowedHeaders: "Origin, X-Requested-With, Content-Type, Accept, Authorization",
            allowCredentials: false));`

image1.png2988×369 245 KB

4

You should not be initiating the OAuth flow via Ajax, it needs to be a full redirect to the /auth/{provider} endpoint. You have something that’s forcing the OAuth request via Ajax which wont work.

5

Thanks mythz, will pass this info to the web developer.

6

There was indeed an issue with the ajax call, however also had found that the following code was required to initialize the google auth settings:

    public CustomGoogleAuthProvider(IAppSettings appSettings) : base(appSettings)
    {
        this.ConsumerKey = appSettings.GetString("AppSettings:oauth.google.ConsumerKey");
        this.ConsumerSecret = appSettings.GetString("AppSettings:oauth.google.ConsumerSecret");
        this.RedirectUrl = appSettings.GetString("AppSettings:oauth.google.RedirectUrl");
        this.CallbackUrl = appSettings.GetString("AppSettings:oauth.google.CallbackUrl");
    }

otherwise they were not initialized.

This is using dotnet core.

7

The OAuth keys for registering OAuth providers is just "oauth.google.*", e.g:

8

Yeah that’s what I have above right ? but they were not initializing, I had to reinitialize them

9

No, if you used the correct keys you wouldn’t need to manually configure them, it would be configured when using the AppSettings, e.g:

new GoogleAuthProvider(AppSettings),

There’s never any AppSettings: prefix in any config.

10

My mistake, I was still on .Net structure and was expecting AppSettings section. AppSettings structure in ,json and in .config are different

e.g.

  <appSettings>

   <add key="Service.Account.URL" value="http://localhost:9000/" />
   <add key="Service.Activity.URL" value="http://localhost:9001/" />

   Client = new JsonServiceClient(ConfigurationManager.AppSettings["Service.Account.URL"])

vs

  "AppSettings": {
    "Service.Account.URL": "http://localhost:9000/",
    "Service.Connect.URL": "http://localhost:9004/",

 JsonServiceClient(ServiceStack.HostContext.AppSettings.GetString("AppSettings:Service.Account.URL"))
11

There still should never be any AppSettings: prefix for any reason, If you’re using .NET Framework your OAuth keys are exactly the same:

<appSettings>
    <add key="oauth.RedirectUrl"            value="https://yourhostname.com"/>
    <add key="oauth.CallbackUrl"            value="https://yourhostname.com/auth/{0}"/>    
    <add key="oauth.twitter.ConsumerKey"    value="3H1FHjGbA1N0n0aT5yApA"/>
    <add key="oauth.twitter.ConsumerSecret" value="MLrZ0ujK6DwyjlRk2YLp6HwSdoBjtuqwXeHDQLv0Q"/>
</appSettings>

Which is also what you should use when accessing it via AppSettings:

var url = AppSettings.GetString("Service.Account.URL");
12

Yes of course I get your point but nevertheless there is a difference in how .Net treats “AppSettings” to how .Net Core does.

The keys as you say are the same, but the structure is different, and in .Net Core, the structure is part of the key retrieval

13

You would still use exactly the same code to access the key in both:

var url = AppSettings.GetString("Service.Account.URL");

In .NET Core the : prefix as special meaning to traverse object graphs which isn’t used for accessing simple keys like the OAuth configuration. Regardless there should never be an AppSettings: prefix unless you’re putting the configuration inside your own custom "AppSettings" object graph which you shouldn’t be doing.

14

We are talking at cross purposes Mythz, I’m agreeing with you. :smile:

I was merely making an observation about the structural differences which can be confusing:

image.png1269×628 116 KB

15

I’m just explaining where the confusion came from.

16

Do not invent your own AppSettings object graph:

"AppSettings":  { ... }

Your whole appsettings.json is the configuration, add them as simple properties:

{
    "Service.Account.URL": "..."
}

Then both will be accessible using the exact same code:

var url = AppSettings.GetString("Service.Account.URL");
1 Like
17

I hear you mate :smile:

18

What is the correct way to get the JWT once google authentication has completed ?

19

You’ll need to convert your existing Session into a JWT Token.

1 Like
20

Awesome Mythz thanks as always!