我们在进行API调用以生成OAuth令牌时遇到问题。我们的电话如下:
// Reusable variables
var oneloginURL = "https://api.us.onelogin.com";
var oneloginSessionURL = "https://rxsense.onelogin.com";
// Axios objects for AJAX calls, For onelogin calls only
var ONELOGIN_API = axios.create({baseURL: oneloginURL})
var ONELOGIN_SESSION_API = axios.create({baseURL: oneloginSessionURL})
const REQUIRED_CONFIG = {
ONE_LOGIN: {
LOGIN: {
BASE: "https://api.us.onelogin.com",
METHOD: "POST",
ROUTE: "/api/1/login/auth"
},
TOKEN: {
BASE: "https://api.us.onelogin.com",
METHOD: "POST",
ROUTE: "/auth/oauth2/v2/token"
},
SESSION_TOKEN: {
BASE: "https://rxsense.onelogin.com",
METHOD: "POST",
ROUTE: "/session_via_api_token"
}
},
}
const services = {
BASE_URL: baseURL,
ACCESS: REQUIRED_CONFIG,
sendRequestForOneLogin: function(service = ONELOGIN_API, method, route, params, config) {
switch(method) {
case 'GET': return service.get(route, params);
case 'POST': return service.post(route, {params,config});
case 'PUT': return service.put(route, params);
}
},
}
// Methods calling the services
generateOneLoginToken: function() {
let params = {
'grant_type': 'client_credentials',
}
let config = {
auth: {
username: "clientname",
password: "clientsecret",
},
headers: {
"Custom-Allowed-Origin-Header-1": "http://localhost:8080"
}
}
return this.sendRequestForOneLogin(
ONELOGIN_API,
this.ACCESS.ONE_LOGIN.TOKEN.METHOD,
this.ACCESS.ONE_LOGIN.TOKEN.ROUTE,
params,
config
);
},
loginOneLogin: function() {
let params = {
'username_or_email': 'uname1',
'password': 'pass@123',
'subdomain': 'mydomain'
}
let config = {
headers: {
"Custom-Allowed-Origin-Header-1": "http://localhost:8080",
"Authorization": 'bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
}
}
return this.sendRequestForOneLogin(
ONELOGIN_API,
this.ACCESS.ONE_LOGIN.LOGIN.METHOD,
this.ACCESS.ONE_LOGIN.LOGIN.ROUTE,
params,
config
);
},
显示的错误是:
“Access to XMLHttpRequest at 'https://api.us.onelogin.com/auth/oauth2/v2/token' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.”
这是使用localhost作为URL的问题吗?我知道有文档建议使用Custom-Allowed-Origin-Header-1 Header来解决这个问题,但我们仍然在最后看到它。如果我们不能使用localhost作为CORS URL的参数,我们是否可以使用服务器的私有IP地址进行呼叫?
获取访问令牌的请求不应该从客户端javascript完成,因为这意味着您已将client_secret暴露给Internet。
OneLogin仅支持CORS生成会话令牌。再次,您不应该从客户端javascript发出原始登录请求,但您有正确的想法,在此请求上设置“Custom-Allowed-Origin-Header-1”标头。
然后,您将根据第一个请求返回的令牌发出生成会话的请求。实际上,这是一个客户端调用,它返回cookie以启用SSO。 https://developers.onelogin.com/api-docs/1/login-page/create-session-via-token
如果必须从客户端对用户进行身份验证,则此方法不是推荐的方法。请使用OpenId Connect Implicit flow或Authorization Code flow + PKCE。