Hi, I am getting a CORS error when integrating gooddata.cn with accelerator toolkit in production environment. The domain hosted is different from the domain gooddata.cn is hosted Changed the build command to cross-env REACT_APP_SET_HOSTNAME=true npm run build

Hello Vatsal, can you make sure you allowed app's domain as a CORS origin for your hosted GoodData.CN instance?

Hi @Jiri Zajic Where can i set the origin, we tried to find the settings but were not able to. Do you have steps to achieve it

In the HELM chart, please look for the following:

Hi Jiri It didn't work ingress is throwing error

Hi @Jiri Zajic can you help me with the file name On helm chart which customised values file required to make a change. https://community.gooddata.com/administration-61/cors-error-heroku-hosted-reactapp-453 if any documentation for 1.3 gdcn WRT kindly provide the link Thanks Ashok

Hello, We faced erros when we used the helm chart as suggested by you. We tried using a separate ingress section and also under annotations.

cors-customized-values-gooddata-cnref.yml

Hi Jiri We were able to add url to solve the CORS. But the accelerator is not working as expected it is redirected to the gooddata hosted page.

Hello Vatsal! I'm glad you were able to solve the CORS issue! The accelerator toolkit should work, are you sure you are runnig it with the

--backend tiger

parameter?

Hi Jiri, I took care of the adding the backend=tiger with the accelerator. But still it is not working as expected. Is there any difference with k8s version and the community edition of the Gooddata.CN

What exactly is the issue, Vatsal?

Hi Jiri, The login page from accelerator is redirecting to gooddata.cn instance which throws the below error

{
  "title": "Not Found",
  "status": 404,
  "detail": "No API path found that matches request '/appLogin'.",
  "traceId": "7c88e78afa940ec8"
}

@Jiri Zajic we had some more discussion with @Vatsal Trivedi in DMs and the problem they are trying to solve is that their app should not need authentication: they want anyone with access to the URL to be able to see the app (which was not immediately clear to me). I am not really sure what the best way of doing this would be though, hardocding an auth token in the app code might work, but I wonder if there is a better way of doing this. Do you know Jirka?

1) Create a user on GD.CN Using Built in OIDC Provider (https://www.gooddata.com/developers/cloud-native/doc/1.4/administration/auth/built-in-oidc/) 2) Mapped the user to the Organization (https://www.gooddata.com/developers/cloud-native/doc/1.4/administration/auth/user-management/) 3) Login with the User. 4) Get the API Token (using valid Authenticated Session fetch('/api/entities/users/{userId}/apiTokens', {}....). 5) Create React App using backend tiger SDK (https://sdk.gooddata.com/gooddata-ui/docs/create_new_application.html) 6) Use the API Token Generated earlier as Tiger Token to authenticate with GD.CN using the same user credentials. 7) It redirects to a different page. Why is this happening? We also get below error {"title":"Not Found","status":404,"detail":"No API path found that matches request '/appLogin'.","traceId":"7c88e78afa940ec8"}

@Jan Soubusta can you please advise?

I am not an expert in this area. @Robert Moucha could you help us here?

The plain request to

/appLogin

ends with 404. You need to pass mandatory query param

redirectTo

pointing to uri-encoded path where the you want to be redirected after authentication. E.g

/appLogin?redirectTo=%2F

performs authentication and redirects you to

/

.

Hi @Robert Moucha Can you please help me with which section above changes needed to made. (I have applied change under authhost of dex section.)

it's a top-level section

dex:
  authService:
    allowRedirect: '<https://gdcn-test.herokuapp.com|https://gdcn-test.herokuapp.com>' 
  ingress:
    authHost: '<http://auth-fc.factoreal.com|auth-fc.factoreal.com>'
    annotations:

<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx

no, I mean top-level of your customized-values yaml. Like:

authService:
  allowRedirect: "<https://localhost:8443>"
dex:
  ingress:
...etc

Oh Okay Thanks for clarifying 🙂

Hi @Robert Moucha How to use tiger token for auth directly in prod instance?

Bearer token is meant for API access. Every request must carry the header

Authorization: Bearer *thisisyoursecrettoken*

@Robert Moucha, the issue is still not resolved. We have followed all the steps mentioned. The reactapp page keeps refreshing

Sorry, React/JS is not my domain of expertise. Maybe @Dan Homola could help investigate? As far as the deployment is concerned, these helm chart settings are relevant: • CORS-related annotations as already described above • authService.allowRedirect set to your react app endpoint (see above) React app can operate in two distinct modes (see README.md in generated react app): 1. "development" mode, where backend auth is done using token (set REACT_APP_DEV_TIGER_API_TOKEN to token value and unset REACT_APP_SET_HOSTNAME) 2. "production" mode, with full OIDC integration (unset REACT_APP_DEV_TIGER_API_TOKEN and set REACT_APP_SET_HOSTNAME=true)

@Guruprasad I’m not sure what you mean, the generated app should work with GoodData.CN already. I guess the only problem you now face is the Authorization token passing right?

Thats correct. We are facing issue with Authorization token passing

@Dan Homola Please kindly check out https://gdcn-test.herokuapp.com

Hm, it seems your requests do not have the token in the authorization header. Please make sure you are using the TigerTokenAuthProvider in your src/contexts/Auth/backend file (you might need to do some tweaking there as your use case is not something we support out of the box)

Hi @Dan Homola Without tweaking anything, the auth does not seen to work

const createBackendForDevelopment = () => {
    if (!process.env.REACT_APP_SET_HOSTNAME && process.env.REACT_APP_DEV_TIGER_API_TOKEN) {
        <http://console.info|console.info>(
            "The application will use Tiger API Token for authentication and will use the proxy to send requests to the backend.",
        );

        return tigerFactory().withAuthentication(
            new TigerTokenAuthProvider(process.env.REACT_APP_DEV_TIGER_API_TOKEN),
        );
    }

    <http://console.info|console.info>(
        "The application will use Tiger OIDC authentication flow for authentication and will send requests directly to the backend. Please make sure your installation has correct CORS setup.",
    );

    return tigerFactory({ hostname: backend }).withAuthentication(
        new ContextDeferredAuthProvider(throttledHandler),
    );
};

const createBackendForProduction = () => {
    if (!process.env.REACT_APP_SET_HOSTNAME) {
        return tigerFactory().withAuthentication(new ContextDeferredAuthProvider(throttledHandler));
    }
    return tigerFactory({ hostname: backend }).withAuthentication(
        new ContextDeferredAuthProvider(throttledHandler),
    );
};

Right, because for production builds, the

createBackendForProduction

function is used. You will need to adapt the parts around TigerTokenAuthProvider and put them in the

createBackendForProduction

function. This is because out of the box we only support the token for development because using it for production can pose security problems. But I guess for your usecase it might be fine.

Lets skip the part of our use case I am trying to use out of the solution That is also not working right now

I am not sure what you mean by

I am trying to use out of the solution

can you please elaborate?

Out of box solution*

Right but if you use the out of the box solution, you need to login using the login form you are redirected to and then it should work, right?

That redirect is also not working

When I go to https://gdcn-test.herokuapp.com/ I get redirected to https://auth-fc.factoreal.com/dex/auth/local?req=ma47lhqcy5dzuom247tjtords which I think is fine, or am I missing something?

It gets redirected After giving the username and password it does not authorize the user No session or session expired message keeps poping

In that case it seems something is wrong on the backend side, did you try what @Robert Moucha suggested?

yes i tried that too

Yes @Dan Homola I have done the @Robert Moucha suggested changes and applied

are you building the app with the

build-with-explicit-hostname

script?

This how it looks

authService:
  allowRedirect: '<https://gdcn-test.herokuapp.com|https://gdcn-test.herokuapp.com>'

dex:
  ingress:
    authHost: '<http://auth-fc.factoreal.com|auth-fc.factoreal.com>'
    annotations:
      <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx



ingress:
  annotations:
    <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
    <http://nginx.ingress.kubernetes.io/cors-allow-credentials|nginx.ingress.kubernetes.io/cors-allow-credentials>: "true"
    <http://nginx.ingress.kubernetes.io/cors-allow-methods|nginx.ingress.kubernetes.io/cors-allow-methods>: PUT, GET, POST, OPTIONS, DELETE, PATCH
    <http://nginx.ingress.kubernetes.io/enable-cors|nginx.ingress.kubernetes.io/enable-cors>: "true"
    <http://nginx.ingress.kubernetes.io/cors-allow-origin|nginx.ingress.kubernetes.io/cors-allow-origin>: <https://gdcn-test.herokuapp.com|https://gdcn-test.herokuapp.com>

<http://nginx.ingress.kubernetes.io/cors-allow-headers|nginx.ingress.kubernetes.io/cors-allow-headers>: "X-GDC-JS-SDK-COMP, X-GDC-JS-SDK-COMP-PROPS, X-GDC-JS-PACKAGE, X-GDC-JS-PACKAGE-VERSION, x-requested-with, X-GDC-VALIDATE-RELATIONS, DNT, X-CustomHeader, Keep-Alive, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Authorization"


#### gdcn robert asked to remove to fix issue

I think we are mixing two different things here: Scenario 1: if you want to try your app to allow “anonymous” access, then you need to tweak your backend file with something like

const createBackendForProduction = () => {
    return tigerFactory().withAuthentication(
        new TigerTokenAuthProvider(process.env.REACT_APP_DEV_TIGER_API_TOKEN),
    );
};

Note though that this is not secure as your token will get hardcoded into the application. Scenario 2: if you want to try your app with proper login, then from what you are describing it seems there is either some problem with the settings on the backend or your app is not built properly (what command do you use to build the app?)

I just checked your herokuapp

@Robert Moucha is it config issue of frontend App or GDCN deployment ?

GDCN. Please try setting:

cookiePolicy: None

And update helm release on your cluster with this setting

Kindly help me with "cookiePolicy: None " whare exactly should i need to be included on customised value file

it's a top-level key. So it must not be nested in ano other key

Applied the changes cn auth service got redeployed

Please find the steps we tried to make this work.

@Dan Homola or anyone - could you please review Guru's steps if everything is done as expected?

@Guruprasad the steps in the document look ok, as @Robert Moucha mentions in his message, the RedirectIfNotLoggedIn might cause some issues in your particular use case, so it might be better to keep that commented out.

Hi @Robert Moucha How to allow multiple domains kindly help . Context: Their will be different workspaces for each react reach app for dev,test,pod Thanks

Hi @Ashok, if I understand correctly, you want to have multiple react apps, each on its own hostnname (like gdcn-dev.example.com, gdcn-dev.example.com and so on), all pointing to the same GD.CN deployment to their respective organization (like backend-dev.example.com for DEV organization, backend-test.example.com for TEST organization and so on). Is that correct?

No! Only one organisation with multiple workspaces . However with different react apps hosted on different domains example (ws-dev-reactapp.example.com, ws-qa-reactapp.example.com,ws-prod-reactapp.example.com)

I see. Anyway, this is currently also not possible as there's only one deployment-wide setting for CORS and allowRedirect. I filed internal request five days ago to remove this limitation if you have multiple organizations. For your specific case, where you have more react apps pointing to the same organization, it may be even more tricky. The problem is that header

Access-Control-Allow-Origin

can contain only one URL.

Can you please suggest any workaround for achieve this !

Is there any chance to mount all these react apps to different contexts on the same domain? Like: ws-reactapp.example.com/dev/, ws-reactapp.example.com/qa/, and so on?

Let me check with @Guruprasad

Setting this header value to

*

could work for regular oauth2 authentication, but you could not use token auth (Authorization: Bearer xxxx). This should not be an issue, however. We need to check this option. If it works, it would resolve the cors issue, but the problem with allowRedirect would still remain and we need to resolve this internally.