Refused to connect to ‘https://xxxx.okta.com/oauth2/default/.well-known/openid-configuration’ because it violates the following Content Security Polic ,
directive: “default-src ‘self’ https://eum-red-saas.xxxx.io/ https://xxx.okta.com/api/v1/sessions/me”. Note that ‘connect-src’ was not explicitly set, so ‘default-src’ is used as a fallback.
please can someone help me
You need to update your Content Security Policy. Do you know how your app is currently setting this policy? If so, can you share the code that sets it?
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationEntryPoint unauthorizedHandler;
private static final String CSP_HEADERS = "default-src 'self' https://eum-red-saas.instana.io/ https://xxx.okta.com/api/v1/sessions/me; frame-src 'self' https://xxxx.okta.com/ data:; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/hacktimer@1.1.3/HackTimer.min.js https://eum.instana.io/eum.min.js ; object-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; worker-src blob:";
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
// we don't need CSRF because our token is invulnerable
.csrf().disable()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler)
.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/")).and().logout()
.logoutSuccessUrl("/").permitAll()
.and()
// don't create session
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(
HttpMethod.GET,
“/”,
“/.html",
“/favicon.ico”,
“//webfont.",
"//regular.”,
"/**/.jpg”,
“//primeicons.*",
"//.PNG",
"/**/.png”,
“//*.json",
"//.jpeg",
"/**/.html”,
“//*.css",
"/css/”,
“/**/*.js”,
“/rest/monitoring”
).permitAll()
.antMatchers(HttpMethod.GET, “/application/check”).permitAll()
.anyRequest().authenticated().and().oauth2ResourceServer(oauth2ResourceServer →
oauth2ResourceServer
.jwt(jwt →
jwt.jwtAuthenticationConverter(getJwtAuthenticationConverter()))
);
// enable page caching
httpSecurity
.headers()
.cacheControl()
.and()
// add CSP headers to the response
.contentSecurityPolicy(CSP_HEADERS)
.and()
.referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
.and()
.featurePolicy("accelerometer 'none'; camera 'none'; microphone 'none'")
.and()
.frameOptions()
//allow the X-Frame-Options
.sameOrigin()
//enable hsts headers
.httpStrictTransportSecurity()
.includeSubDomains(true)
.maxAgeInSeconds(31536000);it’s work for http but not with https
Add connect-src 'self' https://*.okta.com; to the end of your CSP_HEADERS variable and it should work.
private static final String CSP_HEADERS = "default-src 'self' https://eum-red-saas.instana.io/ https://xxx.okta.com/api/v1/sessions/me; frame-src 'self' https://xxxx.okta.com/ data:; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/hacktimer@1.1.3/HackTimer.min.js https://eum.instana.io/eum.min.js ; object-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; worker-src blob:; connect-src 'self' https://*.okta.com;";
merci , thank you very much , I test and I tell you 
yeah it works very well , thank you very much for your answer and for your help and for the time you gave me
in http works déconnexion bath not in https https://*.okta.com; ? Maybe this generic expression
I’m not sure what you’re asking. “déconnexion” is not a word I understand.
sorry Matt
in http works Logout bath not in https https://*.okta.com; ? Maybe this generic expression
The logout looks to be successful, or at least it returns a 200. With JHipster (with uses Spring Security), I had to implement a Logout handler to redirect to the client to logout. I explain this in this blog post. This is a couple years old, although the client should be similar. You can see the latest LogoutResource on GitHub.
You might also find this blog post useful. OpenID Connect Logout Options with Spring Boot | Okta Developer
when I click on the disconnect button on the HTTP works very well on the other hand under HTTPS I am redirected all the time to the page home , it is as if the disconnection is not done correctly because of a blocking cros error
I checked the redirects , this is the correct url
it’s work very good with http but not with HTTPS
And de error is CORS error
in my code i have
logout(disconnectionMode) {
this.ngbModal.dismissAll();
this.closeProgressForm();
this.idle.stop();
this.idle.onIdleStart.observers.length = 0;
this.idle.onTimeoutWarning.observers.length = 0;
this.idle.onTimeout.observers.length = 0;
this.idleTimeOut = null;
this.periodTimeOut = null;
this.idle.ngOnDestroy();
this.authenticationService.logout(disconnectionMode).subscribe((result) => {
this.oktaAuthService.logout("/logout").then(() => {
this.oktaAuthService.loginRedirect();
});
});
}
/**
* method for disconnection
*
* @param disconnectionMode mode of disconnection
*/
@PostMapping(value = "/logout")
public Boolean disconnection(@RequestBody String disconnectionMode) {
if (SecurityContextHolder.getContext().getAuthentication().getPrincipal() instanceof AuthenticationUser) {
AuthenticationUser user = (AuthenticationUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
if (user != null) {
resultManager.unassignedResultsForUser(user);
resultManager.dischargeResultsForUser(user);
Optional<SessionApp> sessionApp = sessionAppManager.getCurrentSession(user.getUserId());
sessionApp.ifPresent(app -> sessionAppManager.closeLastSession(app.getIdSessionApp(), DisconnectionModeEnum.valueOf(disconnectionMode)));
LOGGER.info(" logout of user : {} ", user.getUserId());
}
}Have you enabled CORS on your Okta org? For example, if you’re app is running on http://localhost:8080, do you have that as a Trusted Origin in Security > API > Trusted Origins?
This documentation explains more and allows you to test things.
thank you very much matt . You are the best , yes the solution is to activate it 
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.