Cross-Origin Resource Sharing error: Preflight Missing Allow Origin Header

Hi

My name is Tsvetelin and I am new to EDX development.

I am trying to implement OKTA integration by using EDX hosted login form (currently adopting EXD login form).

After submitting POST authentication request to OKTA (EDX login form submit), I try to redirect browser to OKTA authorisation URL, but browser cause " Cross-Origin Resource Sharing error: **PreflightMissingAllowOriginHeader"

Is the error caused by EDX CORS settings or it comes from OKTA CORS configuration?

Any help is warm welcome

Below I list request/response headers of the process

Thank you

Tsvetelin

LOGIN FORM SUBMITTING

• 8000/user_api/v1/account/login_session/
• Request Method: POST
• Status Code: 302 Found
• Remote Address: [::1]:18000
• Referrer Policy: strict-origin-when-cross-origin
• Response Headers
  • Access-Control-Allow-Credentials: true
  • Access-Control-Allow-Origin: http://localhost:18000
  • Allow: GET, POST, HEAD, OPTIONS
  • Content-Language: en
  • Content-Length: 0
  • Content-Type: text/html; charset=utf-8
  • Date: Tue, 24 Aug 2021 08:56:01 GMT
  • Location: https://takedaext.oktapreview.com/oauth2/default/v1/authorize…….
  • Server: WSGIServer/0.2 CPython/3.5.2
  • Set-Cookie: csrftoken=WMONMVsewzW5ey3zdf2enhNvm9Lme2d2Bo5dBmdjMiJ7zOgACBTzqGsF1vXwepNU; expires=Tue, 23 Aug 2022 08:56:01 GMT; Max-Age=31449600; Path=/; SameSite=Lax
  • Vary: Cookie, Accept, Accept-Language, Origin
  • X-Frame-Options: DENY

REDIRECT REQUEST

• General
  • Request URL: https://takedaext.oktapreview.com/oauth2/default/v1/authorize?……
  • Referrer Policy: strict-origin-when-cross-origin
• Request Headers

  • Provisional headers are shown

  • Referer: http://localhost:18000/

  • User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36

Hi @tsvetelin ! I’ve set up SAML auth with Okta and Open edX before, and here’s a sanitized version of the settings we used.

Open edX SAML settings

• Enabled: Yes
• Icon class: fa-sign-in
• Icon image: None
• Name: <Insert name here>
• Slug: <Insert short name here>
  Must match the Default Relay State on the Okta application.
• Secondary: No
• Site: <Link to site entry>
• Skip hinted login dialog: Yes
• Skip registration form: No
• Skip email verification: Yes
• Send welcome email: Optional
• Visible: Yes
• Max session length (seconds): (blank)
• Send to registration first: No
• Sync learner profile data: Yes
• Enable sso id verification: Yes
• Backend name: tpa-saml
• Enable automatic metadata refresh: Yes
• Identity Provider Type: Standard SAML Provider
• Advanced settings: {“PROVIDER_READ_ONLY_FIELDS”: [ “email”, “name” ]}

These values come from your Okta setup:

• Entity ID: http://www.okta.com/<okta app id>
• Metadata source: https://<app-name>.oktapreview.com/app/<okta app id>/sso/saml/metadata
• Debug mode: No

These attribute names must match those set up as “Attribute statements” in the Okta application:

• User ID Attribute: username
• Full Name Attribute: fullName
• Default Value for Full Name: (blank)
• First Name Attribute: firstName
• Default Value for First Name: (blank)
• Last Name Attribute: lastName
• Default Value for Last Name: (blank)
• Username Hint Attribute: username
• Default Value for Username: (blank)
• Email Attribute: email
• Default Value for Email: (blank)

Open edX site configuration

These ansible variables must be set to allow cross-origin requests and CSRF cookies to be shared across domains.

EDXAPP_FEATURES:
  ENABLE_CROSS_DOMAIN_CSRF_COOKIE: true
EDXAPP_CROSS_DOMAIN_CSRF_COOKIE_NAME: "okta-csrftoken"
EDXAPP_CROSS_DOMAIN_CSRF_COOKIE_DOMAIN: " .\<app-name>.oktapreview.com"
EDXAPP_CSRF_COOKIE_SECURE: true
# EDXAPP_CORS_ORIGIN_ALLOW_ALL: true  # unsafe
EDXAPP_CORS_ORIGIN_WHITELIST: ["<app-name>.oktapreview.com"]

Okta application SAML settings

General

• Single Sign On URL: https://<lms url>/auth/complete/tpa-saml/
• Recipient URL: https://<lms url>/auth/complete/tpa-saml/
• Destination URL: https://<lms url>/auth/complete/tpa-saml/
• Audience Restriction: https://<lms url>
• Default Relay State: <Insert short name here>
  Must match the Slug on the Open edX SAML.
• Name ID Format: Unspecified
• Application username: Okta username
• Update application username on: Create and update
• Response: Signed
• Assertion Signature: Signed
• Signature Algorithm: RSA_SHA256
• Digest Algorithm: SHA256
• Assertion Encryption: Unencrypted
• SAML Single Logout: Disabled
• authnContextClassRef: PasswordProtectedTransport
• Honor Force Authentication: Yes
• Assertion Inline Hook: None (disabled)
• SAML Issuer ID: http://www.okta.com/${org.externalKey}

Attribute Statements

All “Name Formats” are Unspecified.

• firstName: user.firstName
• lastName: user.lastName
• email: user.login
• username: String.len(user.nickName) > 0 ? user.nickName : substringBefore(user.login, "@")
• fullName: String.join(" ", user.firstName, user.lastName)

Group Attribute Statements

None.

@jinder_Singh noted that this setting is pretty unsafe to use – so better to explicitly specify a list of hosts to allow using EDXAPP_CORS_ORIGIN_WHITELIST: ["<app-name>.oktapreview.com", ...] instead, so I’ve amended my post above.