AWS Cloudfront gives a CORS error with AWS S3 as origin

1
votes

I had hosted a webapp on S3 and we used the S3 Hosting link to access the webapp. We have a Login option on the App that calls the Okta sign in link from within. Everything was working fine on the S3 link and I had enabled the Okta link on the S3 CORS as allowed origin. I recently added the S3 Origin to Cloudfront, now, I'm not able to procees with the Login as the Okta link is being blocked by CORS Policies.

Details :

  1. The entire site is working normally as expected.
  2. The CORS issue only comes up on the Cloudfront link. No CORS errors come up when using the S3 static link. ( as the S3 CORS have been added to allow Okta links )
  3. Error that comes up : Cross origin resource sharing error: PreflightMissingAllowOriginHeader.

Access to fetch at 'https://{my_okta_org}.okta.com/api/v1/authn' from origin 'https://{cloudfront_release}.cloudfront.net' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Questions:

  1. What Config changes do I have to add on Cloudfront to allow the allowed CORS on S3?

Reference:

  1. Ref-01
  2. Ref - 02

Other Details :

  1. CORS allowed in S3:

    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "POST",
            "DELETE",
            "HEAD"
        ],
        "AllowedOrigins": [
            "https://{my_okta_url}.okta.com"
        ],
        "ExposeHeaders": []
    },
  1. Cloudfront Details :

enter image description here

3
reactjsamazon-web-servicesamazon-s3corsamazon-cloudfront
stackoverflow.com/questions/50299204/… see this will help you.aviboy2006
Hi @aviboy2006 Thanks for recommending the solution, but the issue does not seem to be with error handling. It's actually CORS based. I'm unable to forward origins to S3 from cloudfront.Raghav Mishra

3 Answers

1
votes

This is an issue between CloudFront and Okta, S3 isn't involved in your request pipeline yet. The preflight issue is very common, and it's working as designed, and the error message is telling you exactly what you need to do. I'm not familiar with Okta, but it looks like you may have configured it to accept traffic from S3, and you need to change that to accept traffic from CloudFront. Alternatively, your CloudFront configuration needs to add the "Access-Control-Allow-Origin" HTTP header to the request from CloudFront to Okta, and (preferred) list the CloudFront origin specifically rather than using a wildcard. An overview of this header is https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin.

1
votes

Can you please make sure the following things are setup correctly:

  1. In Otka Application Settings, you have your CloudFront URL configured as one of the allowed Base URLs (refer image)otka CloudFront
  2. Your CloudFront settings for whitelisting seem fine.
  3. Refer this if you are using Callbacks in Otka (Otka Callback LambdaEdge)
1
votes

NOTE: [Answering my own question.]

So, this was an issue directly between the cloudfront distribution and Okta. I had enabled all CORS policies on our S3 side and everything to forward headers on cloudfront. What I had missed is to add the Cloudfront Origin to a whitelist on the Okta side for CORS policies. Adding the Cloudfront URL to the Whitelisted Origins solved the issue.

To do this I had to go to Okta Console > Security > API > Trusted Origins. Added the Origin name to be allowed access to Okta here.

enter image description here

Note: Other answers Give a much deeper insight of what else could we check to make the solution work, and should be quite beneficial for troubleshooting.