Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS error while trying to redirect to duo url. #1

Open
emrebayramc opened this issue Jan 1, 2021 · 12 comments
Open

CORS error while trying to redirect to duo url. #1

emrebayramc opened this issue Jan 1, 2021 · 12 comments

Comments

@emrebayramc
Copy link

emrebayramc commented Jan 1, 2021
edited
Loading

Hello,
I have followed the demos and I am getting CORS error on browser when I am trying to redirect to the prompt_uri.
Any idea why?

.
.
.
    prompt_uri = duo_client.create_auth_url(username, state)

    # Redirect to prompt URI which will redirect to the client's redirect URI
    # after 2FA
    return redirect(prompt_uri)
.
.
.

image
@AaronAtDuo
Copy link
Contributor

@kazanture Are you getting this issue with the provided demo itself, or from some other application you've added the client to?

@nishant-rana-19
Copy link

@kazanture Any update or solution you found regarding this ?

@AaronAtDuo
Copy link
Contributor

@nishant-rana-19 are you also running into this issue? Can you tell us more about how you are deploying the Duo integration? We have not been able to reproduce this issue internally, so any details you can provide about the web application or environment might help.

@nishant-rana-19
Copy link

@AaronAtDuo So it's a simple login page with username and password as input and upon input I am verifying that the credentials are okay. If credentials are verified I return redirect(prompt_uri) as done in demo of the Web SDK v4. Now on the frontend side I get 302 response code which is correct for redirection. After that another request goes to the prompt_uri and I get the above mentioned error.

@emrebayramc
Copy link
Author

@nishant-rana-19 I don't remember the details but I finally had believed duo universal was not enabled on my duo account because it was showing like this:
image

so we have switched to the old sdk: duo_web==1.3.0

Not sure if that was the case but we were able to move forward so i did not dig deeper.

@nishant-rana-19
Copy link

@kazanture @AaronAtDuo I will update about this universal prompt, if I remember correctly I did enable this.
In the meanwhile, I kind of found a workaround, so I am now redirecting from the front-end side (ReactJS) and after that the duo prompt redirect back to my site. Still haven't implemented this fully (tried it and it worked) so don't know about any issues that might arise.

@nishant-rana-19
Copy link

@kazanture @AaronAtDuo Yup my duo universal prompt is still 'Waiting on Duo..', one question I do have: Do I need this to be on New Prompt Ready or Activated for using Web SDK ?

@AaronAtDuo
Copy link
Contributor

This client will work either way. The "Activate Universal Prompt" and "Waiting on Duo" piece is related to the prompt UI which we are private previewing and will roll out to all customers in the future. You can see https://duo.com/docs/universal-prompt-update-guide for more details.

Any issues you have having should be unrelated to this however, since you're having issues with the redirect to Duo, not with the prompt that Duo serves. One quick question, I see a reference to XHR in the error. Does your application submit the login credentials via a normal form submit or using XHR?

@nishant-rana-19
Copy link

@AaronAtDuo Sorry for the late reply. The application uses fetch POST request. The application is based on react.

@C41M50N
Copy link

C41M50N commented Jul 13, 2021

I am also experiencing this same issue. I have a React web application that talks to a FastAPI API. When the redirect response is returned to the web app (after sending an initial get request), I receive an extremely similar error (in the console) to that of the one in the original issue.

Happy to answer any questions to get this resolved.

@AaronAtDuo
Copy link
Contributor

We've received a few more reports of this issue in the last couple weeks. I believe what is happening is:

  1. Folks are trying to add Duo to web applications that send login credentials to the server via XHR rather than a simple html form submit
  2. The server is replying to the XHR with a 302 redirect to the Duo URL
  3. Since this 302 is a reply to an XHR, it triggers a CORS preflight check (this may depend on the JS framework in use?)
  4. Duo is not expecting a CORS preflight check and so does not respond appropriately
  5. The CORS preflight errors out and so the whole redirect is canceled.
    if anyone who is still being affected by this issue could let me know it I seem to be on the right track, that would be very helpful.

If I am right, there may be a few options...
A) The example implementation of the server code is not assuming XHR is in use. Affected web applications could be updated to respond to the credential submit not with a 302 redirect but with something that indicates to the client-side JS about the URL to follow
B) Duo might be able to support the CORS preflight check better

@AaronAtDuo AaronAtDuo mentioned this issue Feb 4, 2022
Closed
@AaronAtDuo AaronAtDuo mentioned this issue Jul 18, 2023
Open
@goulter
Copy link

goulter commented Jul 29, 2024

@AaronAtDuo I know this issue is closed, but I am experiencing this very error.
I can generate the prompt_uri via the create_auth_url function.
When I tell Django to redirect to that prompt_uri like return redirect(prompt_uri), I get this error:

CORS missing allow origin
Status 405
Method Not Allowed
Version HTTP/1.1
Transferred 209 B (0 B size)
Referrer Policy strict-origin-when-cross-origin
DNS Resolution System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@emrebayramc @AaronAtDuo @C41M50N @goulter @nishant-rana-19