Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

X-CSRFToken header causes CORS error when used with openIdConnect security definition #588

Closed
georgy-komarov opened this issue Oct 28, 2021 · 2 comments
Closed

X-CSRFToken header causes CORS error when used with openIdConnect security definition #588

georgy-komarov opened this issue Oct 28, 2021 · 2 comments
Labels
bug Something isn't working fix confirmation pending issue has been fixed and confirmation from issue reporter is pending

Comments

@georgy-komarov
Copy link
Contributor

georgy-komarov commented Oct 28, 2021
edited
Loading

Describe the bug
X-CSRFToken header causes CORS error when used with openIdConnect security definition
image

To Reproduce
I'm using custom scheme for Keycloak OpenID auth (more info here)
For simplicity let's assume we need only profile scope for all the endpoints

class KeycloakAuthScheme(DjangoOAuthToolkitScheme):
    target_class = 'mozilla_django_oidc.contrib.drf.OIDCAuthentication'
    name = 'keycloak'

    def get_security_requirement(self, auto_schema):
        return {self.name: ['profile']}

    def get_security_definition(self, auto_schema):
        return {
            'type':             'openIdConnect',
            'openIdConnectUrl': f'{settings.KEYCLOAK_SERVER}/auth/realms/{settings.KEYCLOAK_REALM}/.well-known/openid-configuration'
        }

When we open swagger-ui, it fails to get OpenID configuration due to rather specific X-CSRFToken header which most Keycloak servers deny. And, of course there is no way to contact admins to change their CORS policy.

It seems like it happens because of requestInterceptor here

drf-spectacular/drf_spectacular/templates/drf_spectacular/swagger_ui.js

Lines 11 to 14 in 31e7698

requestInterceptor: (request) => {
request.headers["X-CSRFToken"] = "{{ csrf_token }}";
return request;
},

As far as I understand it is added for Django session authentication. But I am not sure it is the only reason.
And I am not really sure if I can override this behaviour

UPD: Workaround
I managed to find some workaround. Thanks to this commit I can set requestInterceptor to undefined. This seems to work, however it's quite dirty hack.
UPD2: Setting requestInterceptor to undefined was not a good idea as it brakes something in the UI itself. More safe way is to set "requestInterceptor": (request) => request

'SWAGGER_UI_SETTINGS':      '''{
        "deepLinking": true, 
        "oauth2RedirectUrl": `${window.location.protocol}//${window.location.host}/api/static/drf_spectacular_sidecar/swagger-ui-dist/oauth2-redirect.html`,
        "requestInterceptor": (request) => request
    }''',

Expected fix
This can be fixed if we do not set requestInterceptor globally.
@tfranzel
Copy link
Owner

hey!

that's a good point. I was wondering when this would make problems. The requestInterceptor is quite limited information-wise, but i think there is a credentials: "same-origin" property we can use to disable the CSRF header. I will have a look.

@tfranzel tfranzel added the bug Something isn't working label Oct 28, 2021
tfranzel added a commit that referenced this issue Oct 31, 2021
@tfranzel
mitigate CORS issues for external requests in Swagger UI #588
94b437a
@tfranzel tfranzel added the fix confirmation pending issue has been fixed and confirmation from issue reporter is pending label Oct 31, 2021
@tfranzel
Copy link
Owner

closing this issue for now. feel free to comment if anything is missing or not working and we will follow-up.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something isn't working fix confirmation pending issue has been fixed and confirmation from issue reporter is pending
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@georgy-komarov @tfranzel