问题
I want to access a REST service that's protected by CAS running on a different domain. This means I need to make a request to a CAS login endpoint and have it redirect me to the destination service. There are dozens of questions here about why CORS redirects fail, but I have yet to find any answer about how to actually make it work.
I found some W3C guidance for dealing with CORS that includes a dedicated aside on the topic:
To make possible transparent movement of CORS-enabled resources accessed via simple requests requires work and coordination by servers. For example, a resource at https://old.example.com/resource might respond to a CORS request with credentals with a redirect to https://new.example.com/resource?originalOrigin=...&credential=... which would carry the authority to access the resource in the URL parameter instead of the Cookie and Origin headers. The server at https://new.example.com would need custom logic to recognize and authenticate these parameters and perform appropriate authorization before returning Access-Control-Allow- headers to the user agent.
I control the container for both services plus the client code, so I should be able to do this (right?), but I don't think what's described in that document is actually possible. The login endpoint already is able to redirect with a one-time credential token (that's how CAS works), so it should be easy.
As the text says, the redirector (old.example.com in the above) should be requested with credentials. But, if I call fetch(url, {credentials:"include"}), credentials will also be included when following the redirect (new.example.com, in the above). Because I'm telling fetch to include credentials, the final URL loaded by the browser must send a matching ACA-Origin header, but because it's the target of a redirect, the origin of the second request will be null.
To make the W3C-suggested workflow possible, I'd need to be able to tell the browser to send credentials to old.example.com but once it redirects you to new.example.com, request it without credentials / in no-cors mode. As far as I know that's not possible -- the initial request and all following redirects get the same fetch options. Am I missing something? Is there another way to accomplish this?
回答1:
You're not missing anything. You'd need to update all callers if you don't want to allow credentialed requests on the new location.
来源:https://stackoverflow.com/questions/52518370/transparent-movement-of-cors-enabled-resources-with-cross-origin-redirect