APIGEE配置:如何处理CORS错误

huangapple
go评论78阅读模式
英文:

APIGEE configuration: how to handle CORS error

问题

我在APIGEE Edge上配置了一个API代理,当启用OAuth访问令牌验证时,它会抛出CORS错误并自动将POST请求转换为OPTIONS请求。我尝试在预处理和后处理流的不同点配置CORS策略,但都没有成功。谢谢您的帮助。

我尝试添加CORS策略并添加一个预检流来处理OPTIONS请求,但都没有起作用。现在我还没有弄清楚为什么POST请求会被当作OPTIONS请求处理。

英文:

I have an API Proxy configured on APIGEE Edge that throws a CORS Error and automatically turns a POST request to an OPTIONS request when OAuth Access Token Verification is enabled.

I have tried configuring the CORS Policy at various points in the Pre and Post flows but to no avail.

TIA.

I tried adding CORS Policy and adding a Preflight Flow for handling the OPTIONS request but none of that worked.

Now I haven't yet figured it out why a POST request lands at as an OPTIONS request.

答案1

得分: 0

以下步骤帮助我实施了用于Apigee代理的CORS配置。

  1. 根据文档添加CORS策略。
  2. 一旦您添加了CORS策略,进入“代理端点”,在“PreFlow”中的“Response”步骤中添加您的策略。
  3. 在附加到跳过OPTION请求的所有策略上添加条件,如下图所示。
  4. 还要为CORS-Preflight添加“Flow”。

APIGEE配置:如何处理CORS错误

英文:

Below steps helped me to implemeted CORS configuration for apigee proxy.

  1. Add a CORS policy as per the documentation.
  2. Once you've added the CORS policy; in the Proxy Endpoints go to PreFlow and add your policy in Response step.
  3. Add Condition(s) to all your policies attached to skip the OPTION request as shown in screenshot below.
  4. Also add Flow for CORS-Preflight

APIGEE配置:如何处理CORS错误

答案2

得分: 0

你只需要为Preflight Call添加Assign Message策略来为CORS问题添加正确的标头,该请求的谓词将是OPTIONS。

要做到这一点,您可以添加一个检查请求谓词的Flow,以及一个路由规则,不会将Options调用路由到任何目标端点,因为此调用只应设置标头,不做其他事情。

在此之后,您的代理端点将如下所示:

<PreFlow name="PreFlow">
    <Request>
        <Step>
            <Name>Some Policy</Name>
            <Condition>(request.verb != "OPTIONS")</Condition>
        </Step>
    </Request>
    <Response/>
</PreFlow>
<Flows>
    <Flow name="Option-Preflight">
        <Description/>
        <Request/>
        <Response>
            <Step>
                <Name>AM-SetCORS</Name>
            </Step>
        </Response>
        <Condition>(request.verb == "OPTIONS")</Condition>
    </Flow>
</Flows>
<PostFlow>
    <Request>
        <Step>
            <Name>Some Policy</Name>
            <Condition>(request.verb != "OPTIONS")</Condition>
        </Step>
    </Request>
    <Response/>
</PostFlow>
<HTTPProxyConnection>
    <BasePath>/demo</BasePath>
</HTTPProxyConnection>
<RouteRule name="NoRoute">
    <Condition>(request.verb == "OPTIONS")</Condition>
</RouteRule>
<RouteRule name="default">
    <TargetEndpoint>default</TargetEndpoint>
</RouteRule>

在AM-SetCORS策略中,您可以添加以下内容:

<AssignMessage continueOnError="false" enabled="true" name="AM-SetCORS">
    <DisplayName>AM-SetCORS</DisplayName>
    <Properties/>
    <Set>
        <Headers>
            <Header name="Access-Control-Allow-Origin">*</Header>
            <Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept, authorization, content-type, source, access-control-allow-origin, apikey, access-control-allow-credentials</Header>
            <Header name="Access-Control-Max-Age">3628800</Header>
            <Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
        </Headers>
    </Set>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo type="response" transport="http" createNew="false"/>
</AssignMessage>

您还可以在Access-Control-Allow-Headers中添加*以允许所有标头。这主要取决于用例。

英文:

You just have to add the Assign Message Policy for Preflight Call to add the correct headers for CORS Issue whose request verb would be OPTIONS.

To do this, you can add a Flow that checks the request verb, and a Route Rule that does not route the Options call to any target Endpoint because this call should only set headers and nothing else.

Your Proxy Endpoint will look something like this after that:

<PreFlow name="PreFlow">
    <Request>
        <Step>
            <Name>Some Policy</Name>
            <Condition>(request.verb != "OPTIONS")</Condition>
        </Step>
    </Request>
    <Response/>
</PreFlow>
<Flows>
    <Flow name="Option-Preflight">
        <Description/>
        <Request/>
        <Response>
            <Step>
                <Name>AM-SetCORS</Name>
            </Step>
        </Response>
        <Condition>(request.verb == "OPTIONS")</Condition>
    </Flow>
</Flows>
<PostFlow>
    <Request>
        <Step>
            <Name>Some Policy</Name>
            <Condition>(request.verb != "OPTIONS")</Condition>
        </Step>
    </Request>
    <Response/>
</PostFlow>
<HTTPProxyConnection>
    <BasePath>/demo</BasePath>
</HTTPProxyConnection>
<RouteRule name="NoRoute">
    <Condition>(request.verb == "OPTIONS")</Condition>
</RouteRule>
<RouteRule name="default">
    <TargetEndpoint>default</TargetEndpoint>
</RouteRule>

In the AM-SetCORS policy you can add this:

<AssignMessage continueOnError="false" enabled="true" name="AM-SetCORS">
    <DisplayName>AM-SetCORS</DisplayName>
    <Properties/>
    <Set>
        <Headers>
            <Header name="Access-Control-Allow-Origin">*</Header>
            <Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept, authorization, content-type, source, access-control-allow-origin, apikey, access-control-allow-credentials</Header>
            <Header name="Access-Control-Max-Age">3628800</Header>
            <Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
        </Headers>
    </Set>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo type="response" transport="http" createNew="false"/>
</AssignMessage>

You can also add * in the Access-Control-Allow-Headers as well to allow all the headers. It mainly depends on the use case.

huangapple
  • 本文由 发表于 2023年3月9日 19:25:14
  • 转载请务必保留本文链接:https://go.coder-hub.com/75683949.html
  • apigee
  • cors
  • header
  • oauth-2.0
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定