Hello together,
I am facing currently an issue with CORS…
We are using a NextJS Frontend and a Quarkus Backend.
We use the Quarkus OIDC lib and the error occurs when calling the backend from the frontend via axis.post. I would expect to be redirected to the login page but I am facing the following error:
The
Access to XMLHttpRequest at ‘***’ (redirected from ‘Backend API’) from origin ‘Frontend Origin’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
This are the Quarkus application.properties:
quarkus.oidc.authentication.scopes=openid,profile,email,offline_access
quarkus.oidc.authentication.java-script-auto-redirect=false
quarkus.oidc.end-session-path=oidc/logout
quarkus.oidc.logout.path=/logout
quarkus.oidc.logout.post-logout-path=/hello
quarkus.http.cors=true
%dev.quarkus.http.cors.origins=/.*/
quarkus.http.cors.methods=GET,PUT,POST,DELETE,OPTIONS,PATCH
quarkus.http.cors.headers=origin,accept,authorization,content-type,x-requested-with
quarkus.http.cors.exposed-headers=Access-Control-Allow-Origin,Authorization,Content-Disposition
quarkus.http.cors.access-control-max-age=24H
quarkus.http.cors.access-control-allow-credentials=true
If I enable the logs I can also see this line at least:
Code flow redirect to: ***
Hi @Alwin-dotcom,
Welcome to the Auth0 Community!
I recommend checking out this related post that addresses the CORs error you have been experiencing.
Let me know if you have any follow-up questions.
Thanks,
Rueben
Hello @rueben.tiow
To be honest it is the same issue! It is my colleague it seems and the issue is still not solved… I don’t think it is a quarkus issue:
I can call the backend directly and get forwarded to the login site. If I copy the curl from the frontend being sent to the backend I get the login page as response back…
So it seems I have to somehow modify the frontend call… would it help if I paste the link to the github repo?
Hi @Alwin-dotcom,
Thanks for the follow-up.
Could you confirm if you were able to successfully login on the your login page and reach your callback URL?
Hi @rueben.tiow ,
yes! If I call the backend url via the browser directly everything works as expected.
It’s only not working in combination frontend->backend(redirecting)->Okta
It looks that already the preflight is not working…
Any suggestion/recommendation is highly appreciated!
Thank you in advance…
Best Regards
Hi @Alwin-dotcom,
I have checked your tenant logs and can confirm that you were successfully able to log in without issues.
Given that, there does not seem to be any misconfiguration on the Auth0 side.
There seems to be an underlying issue happening only when you attempt to use your frontend and backend to redirect to Okta to authenticate.
I recommend checking your network activity during this combined login flow to verify that the origin of your request matches the one requesting it. Then also ensure that your No Access Control-Allow-Origin header is present in the request from your backend.
Let me know how this goes for you.
Thanks,
Rueben
2025-02-05 16:17:04,580 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) Authentication request redirect_uri parameter:
2025-02-05 16:17:04,580 DEBUG [io.qua.oid.run.OidcUtils] (vert.x-eventloop-thread-3) q_auth_4b927c75-cebe-4ce7-b00f-77add58f2ed0 cookie ‘max-age’ parameter is set to 300
2025-02-05 16:17:04,580 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) Code flow redirect to:
2025-02-05 16:17:04,581 INFO [io.qua.htt.access-log] (vert.x-eventloop-thread-3) POST /quiz-app/resources/question-answer HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 348
sec-ch-ua-platform: “macOS”
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: application/json, text/plain, /
sec-ch-ua: “Google Chrome”;v=“131”, “Chromium”;v=“131”, “Not_A Brand”;v=“24”
Content-Type: application/json
sec-ch-ua-mobile: ?0
Origin: localhost:3000
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: localhost:3000/
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
@rueben.tiow any idea when you have a look at this logs?
Hi @Alwin-dotcom,
Thanks for sharing the debug logs. I have reviewed them and do not see any errors.
Ultimately, there seems to be an issue with how the origin of your request does not match the one requesting it and is missing CORS headers. Your logs clearly show that your origin is localhost:3000 and that you are making requests to localhost:8080. This requires proper CORS configuration on the Quarkus backend to allow the request. The logs also confirmed that the request was sent but do not indicate whether the backend responded with the required CORS headers.
Additionally, I noticed in your Quarkus applications.properties that you currently use a wildcard for dev.quarkus.http.cors.origins=/.*/, which does not explicitly reference the origin of the request, specifically localhost:3000.
I suggest explicitly referencing the origin of your frontend to ensure you have CORs correctly configured on your Quarkus backend.
Thanks,
Rueben
Once that’s done, you should get an access token to