Okta Refused to connect to 'https://xxxx.okta.com/oauth2/default/.well-known/openid-configuration'

Refused to connect to ‘https://xxxx.okta.com/oauth2/default/.well-known/openid-configuration’ because it violates the following Content Security Polic ,

directive: “default-src ‘self’ https://eum-red-saas.xxxx.io/ https://xxx.okta.com/api/v1/sessions/me”. Note that ‘connect-src’ was not explicitly set, so ‘default-src’ is used as a fallback.

please can someone help me

You need to update your Content Security Policy. Do you know how your app is currently setting this policy? If so, can you share the code that sets it?

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;

private static final String CSP_HEADERS = "default-src 'self' https://eum-red-saas.instana.io/ https://xxx.okta.com/api/v1/sessions/me; frame-src 'self' https://xxxx.okta.com/ data:; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/hacktimer@1.1.3/HackTimer.min.js https://eum.instana.io/eum.min.js ; object-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; worker-src blob:";

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
            // we don't need CSRF because our token is invulnerable
            .csrf().disable()

            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler)
            .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/")).and().logout()
            .logoutSuccessUrl("/").permitAll()
            .and()


            // don't create session
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)

            .and()

            .authorizeRequests()

.antMatchers(
HttpMethod.GET,
“/”,
“/.html",
“/favicon.ico”,
“//webfont.",
"/
/regular.”,
"/**/
.jpg”,
“//primeicons.*",
"/
/.PNG",
"/**/
.png”,
“//*.json",
"/
/.jpeg",
"/**/
.html”,
“//*.css",
"/css/
”,
“/**/*.js”,
“/rest/monitoring”
).permitAll()
.antMatchers(HttpMethod.GET, “/application/check”).permitAll()
.anyRequest().authenticated().and().oauth2ResourceServer(oauth2ResourceServer →
oauth2ResourceServer
.jwt(jwt →
jwt.jwtAuthenticationConverter(getJwtAuthenticationConverter()))
);

    // enable page caching
    httpSecurity
            .headers()
            .cacheControl()
            .and()
            // add CSP headers to the response
            .contentSecurityPolicy(CSP_HEADERS)
            .and()
            .referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
            .and()
            .featurePolicy("accelerometer 'none'; camera 'none'; microphone 'none'")
            .and()
            .frameOptions()
            //allow the X-Frame-Options
            .sameOrigin()
            //enable hsts headers
            .httpStrictTransportSecurity()
            .includeSubDomains(true)
            .maxAgeInSeconds(31536000);

it’s work for http but not with https

Add connect-src 'self' https://*.okta.com; to the end of your CSP_HEADERS variable and it should work.

private static final String CSP_HEADERS = "default-src 'self' https://eum-red-saas.instana.io/ https://xxx.okta.com/api/v1/sessions/me; frame-src 'self' https://xxxx.okta.com/ data:; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/hacktimer@1.1.3/HackTimer.min.js https://eum.instana.io/eum.min.js ; object-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; worker-src blob:; connect-src 'self' https://*.okta.com;";

merci , thank you very much , I test and I tell you :pray: :pray:

yeah it works very well , thank you very much for your answer and for your help and for the time you gave me

1 Like

in déconnexion i have Cross error

and I do not disconnect, I am redirected to the home page

in http works déconnexion bath not in https https://*.okta.com; ? Maybe this generic expression

I’m not sure what you’re asking. “déconnexion” is not a word I understand.

sorry Matt
in http works Logout bath not in https https://*.okta.com; ? Maybe this generic expression

The logout looks to be successful, or at least it returns a 200. With JHipster (with uses Spring Security), I had to implement a Logout handler to redirect to the client to logout. I explain this in this blog post. This is a couple years old, although the client should be similar. You can see the latest LogoutResource on GitHub.

You might also find this blog post useful. OpenID Connect Logout Options with Spring Boot | Okta Developer

when I click on the disconnect button on the HTTP works very well on the other hand under HTTPS I am redirected all the time to the page home , it is as if the disconnection is not done correctly because of a blocking cros error

I checked the redirects , this is the correct url

it’s work very good with http but not with HTTPS

And de error is CORS error

in my code i have
logout(disconnectionMode) {
this.ngbModal.dismissAll();
this.closeProgressForm();
this.idle.stop();
this.idle.onIdleStart.observers.length = 0;
this.idle.onTimeoutWarning.observers.length = 0;
this.idle.onTimeout.observers.length = 0;
this.idleTimeOut = null;
this.periodTimeOut = null;
this.idle.ngOnDestroy();
this.authenticationService.logout(disconnectionMode).subscribe((result) => {
this.oktaAuthService.logout("/logout").then(() => {
this.oktaAuthService.loginRedirect();
});
});
}


/**
 * method for disconnection
 *
 * @param disconnectionMode mode of disconnection
 */
@PostMapping(value = "/logout")
public Boolean disconnection(@RequestBody String disconnectionMode) {
    if (SecurityContextHolder.getContext().getAuthentication().getPrincipal() instanceof AuthenticationUser) {
        AuthenticationUser user = (AuthenticationUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        if (user != null) {
            resultManager.unassignedResultsForUser(user);
            resultManager.dischargeResultsForUser(user);
            Optional<SessionApp> sessionApp = sessionAppManager.getCurrentSession(user.getUserId());
            sessionApp.ifPresent(app -> sessionAppManager.closeLastSession(app.getIdSessionApp(), DisconnectionModeEnum.valueOf(disconnectionMode)));
            LOGGER.info(" logout of user  : {} ", user.getUserId());
           
        }
    
}

Have you enabled CORS on your Okta org? For example, if you’re app is running on http://localhost:8080, do you have that as a Trusted Origin in Security > API > Trusted Origins?

This documentation explains more and allows you to test things.

thank you very much matt . You are the best , yes the solution is to activate it :pray: :pray: :slight_smile: