Null origin issue with SAML callback in OAuth flow



  • Hi, I am currently evaluating FusionAuth and I have setup the following:

    • latest FusionAuth in docker running locally
    • tenant and application
    • identity provider (JumpCloud) for a specific domain and enabled it for application
    • fusionauth-example-python-flask example app

    When I login to the example app using a user with an email address not in the configured IdP domain, everything works as expected.

    However, when I try to login with an email address configured for the IdP, I am redirected to JumpCloud / IdP as expected, I login and then I get a 403 CORS related error:

    CORS Debugger Invalid Simple CORS request. Origin not allowed. [null] HTTP Method: POST URI: /samlv2/acs Base URI: http://localhost:9011 Host header: localhost:9011 Origin header: null Referer header: - Remote host: 172.18.0.1 IP Address: 172.18.0.1 Header names: host, connection, content-length, pragma, cache-control, origin, upgrade-insecure-requests, dnt, content-type, user-agent, accept, sec-fetch-site, sec-fetch-mode, sec-fetch-dest, accept-encoding, accept-language, cookie Return HTTP Status code 403.

    There was a similar issue reported here:

    https://github.com/FusionAuth/fusionauth-issues/issues/379

    Issue 379 was fixed, so I am experiencing a new issue or is there some configuration I am missing?



  • Workarounds for my issue are to either have either "*" or "null" in the CORS filter allowed origins.

    I am assuming this won't be an issue in production as the SAML callback will be HTTPS -> HTTPS and not HTTPS -> HTTP.


Log in to reply
 

Looks like your connection to FusionAuth Forum was lost, please wait while we try to reconnect.