Null origin issue with SAML callback in OAuth flow
Hi, I am currently evaluating FusionAuth and I have setup the following:
- latest FusionAuth in docker running locally
- tenant and application
- identity provider (JumpCloud) for a specific domain and enabled it for application
- fusionauth-example-python-flask example app
When I login to the example app using a user with an email address not in the configured IdP domain, everything works as expected.
However, when I try to login with an email address configured for the IdP, I am redirected to JumpCloud / IdP as expected, I login and then I get a 403 CORS related error:
CORS Debugger Invalid Simple CORS request. Origin not allowed. [null] HTTP Method: POST URI: /samlv2/acs Base URI: http://localhost:9011 Host header: localhost:9011 Origin header: null Referer header: - Remote host: 172.18.0.1 IP Address: 172.18.0.1 Header names: host, connection, content-length, pragma, cache-control, origin, upgrade-insecure-requests, dnt, content-type, user-agent, accept, sec-fetch-site, sec-fetch-mode, sec-fetch-dest, accept-encoding, accept-language, cookie Return HTTP Status code 403.
There was a similar issue reported here:
Issue 379 was fixed, so I am experiencing a new issue or is there some configuration I am missing?
Workarounds for my issue are to either have either "*" or "null" in the CORS filter allowed origins.
I am assuming this won't be an issue in production as the SAML callback will be HTTPS -> HTTPS and not HTTPS -> HTTP.