FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Null origin issue with SAML callback in OAuth flow

    Scheduled Pinned Locked Moved
    General Discussion
    0
    3
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adam
      last edited by

      Hi, I am currently evaluating FusionAuth and I have setup the following:

      • latest FusionAuth in docker running locally
      • tenant and application
      • identity provider (JumpCloud) for a specific domain and enabled it for application
      • fusionauth-example-python-flask example app

      When I login to the example app using a user with an email address not in the configured IdP domain, everything works as expected.

      However, when I try to login with an email address configured for the IdP, I am redirected to JumpCloud / IdP as expected, I login and then I get a 403 CORS related error:

      CORS Debugger Invalid Simple CORS request. Origin not allowed. [null] HTTP Method: POST URI: /samlv2/acs Base URI: http://localhost:9011 Host header: localhost:9011 Origin header: null Referer header: - Remote host: 172.18.0.1 IP Address: 172.18.0.1 Header names: host, connection, content-length, pragma, cache-control, origin, upgrade-insecure-requests, dnt, content-type, user-agent, accept, sec-fetch-site, sec-fetch-mode, sec-fetch-dest, accept-encoding, accept-language, cookie Return HTTP Status code 403.

      There was a similar issue reported here:

      https://github.com/FusionAuth/fusionauth-issues/issues/379

      Issue 379 was fixed, so I am experiencing a new issue or is there some configuration I am missing?

      1 Reply Last reply Reply Quote 0
      • A
        adam
        last edited by

        Workarounds for my issue are to either have either "*" or "null" in the CORS filter allowed origins.

        I am assuming this won't be an issue in production as the SAML callback will be HTTPS -> HTTPS and not HTTPS -> HTTP.

        1 Reply Last reply Reply Quote 0
        • danD
          dan
          last edited by

          @adam glad you were able to find a workaround.

          I am assuming this won't be an issue in production as the SAML callback will be HTTPS -> HTTPS and not HTTPS -> HTTP.

          I'm not sure, would need to set up a test environment. If you have a support contract, feel free to open a support ticket for us to do more investigation.

          You could also set up a local proxy to have fusionauth be served over HTTPS (examples here) or you could use ngrok or something similar for your testing.

          --
          FusionAuth - Auth for devs, built by devs.
          https://fusionauth.io

          1 Reply Last reply Reply Quote 0
          • First post
            Last post