[Bug] /admin/admin-ajax.php blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

[abdennour]

Overview

I setup the plugin with keycloak & everything is going well (login, logout,...) ,
However... except when clicking on the button which generates new shorten link :

I am getting this error on the browser console:

https://yourls.company.com/admin/?state=d27b8870a0a2301dc6ad72c373d89239&session_state=blah-blah-blah&code=BLAHBLAH

Access to XMLHttpRequest at
 'https://keycloak.company.com/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&redirect_uri=http%3A%2F%2Fyourls.company.com%2Fadmin%2Fadmin-ajax.php&client_id=yourls&nonce=ec2c2.........&state=9ab......&scope=openid' 
 (redirected from 'https://yourls.company.com/admin/admin-ajax.php?action=add&url=https%3A%2F%2FLONG-URL-THAT-IWANT-TO-SHORTEN&keyword=&nonce=8489da0f63') from origin 'https://yourls.company.com' has been blocked by CORS policy: 
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

steps to reproduce :

1. Run yourls v1.8.1

2. Installing the following plugins :

   • yourls-oidc ( this one) - active
   • authMgrPlus ( for RBAC) - active
   • YOURLS-Import-Export - not activated yet
   • yourls-keyword_charset_length - active

3. Deploy everything thru the official helm chart

4. Configure keycloak as following:
   

Expected Behavior

I would expect that all actions should be authenticated with keycloak without bugs and errors.

Actual Behavior

Actually, the API responsible for generating the shorten link (Which is the main functionality) is not working and it's thrown CORS issue

Attempts to fix :

• I tried to fix this issue based on this Q/A stackoverflow which is about setting the keycloak client settings : Web Origins:
  

Unfortunately, it does not work, and i am still getting the same issue.

Tips :

• with redhat keycloak, it's not only realm url, client id, and client secret, but also you can pass other atteributes. Is it about supporting other attributes like "enable-cors": true . REF: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/html/securing_applications_and_services_guide/openid_connect_3

• is this helpful also ? https://stackoverflow.com/a/60258569/747579

[joshp23]

Your issue seems to provide the answer here

No 'Access-Control-Allow-Origin' header is present on the requested resource.

So adding something like the following to your vhost config should do the trick:

Access-Control-Allow-Origin: *

or maybe something a bit more specific like the following

Access-Control-Allow-Origin: https://example.com

[fservida]

I'm having the same issue, I think it might be related to yourls / the plugin not respecting the session cookie after authentication and trying to reauthenticate the XHR requests against the openid provider.