CORS error while trying to redirect to duo url.

[emrebayramc]

Hello,
I have followed the demos and I am getting CORS error on browser when I am trying to redirect to the prompt_uri.
Any idea why?

.
.
.
    prompt_uri = duo_client.create_auth_url(username, state)

    # Redirect to prompt URI which will redirect to the client's redirect URI
    # after 2FA
    return redirect(prompt_uri)
.
.
.

[AaronAtDuo]

@kazanture Are you getting this issue with the provided demo itself, or from some other application you've added the client to?

[nishant-rana-19]

@kazanture Any update or solution you found regarding this ?

[AaronAtDuo]

@nishant-rana-19 are you also running into this issue? Can you tell us more about how you are deploying the Duo integration? We have not been able to reproduce this issue internally, so any details you can provide about the web application or environment might help.

[nishant-rana-19]

@AaronAtDuo So it's a simple login page with username and password as input and upon input I am verifying that the credentials are okay. If credentials are verified I return redirect(prompt_uri) as done in demo of the Web SDK v4. Now on the frontend side I get 302 response code which is correct for redirection. After that another request goes to the prompt_uri and I get the above mentioned error.

[emrebayramc]

@nishant-rana-19 I don't remember the details but I finally had believed duo universal was not enabled on my duo account because it was showing like this:

so we have switched to the old sdk: duo_web==1.3.0

Not sure if that was the case but we were able to move forward so i did not dig deeper.

[nishant-rana-19]

@kazanture @AaronAtDuo I will update about this universal prompt, if I remember correctly I did enable this.
In the meanwhile, I kind of found a workaround, so I am now redirecting from the front-end side (ReactJS) and after that the duo prompt redirect back to my site. Still haven't implemented this fully (tried it and it worked) so don't know about any issues that might arise.

[nishant-rana-19]

@kazanture @AaronAtDuo Yup my duo universal prompt is still 'Waiting on Duo..', one question I do have: Do I need this to be on New Prompt Ready or Activated for using Web SDK ?

[AaronAtDuo]

This client will work either way. The "Activate Universal Prompt" and "Waiting on Duo" piece is related to the prompt UI which we are private previewing and will roll out to all customers in the future. You can see https://duo.com/docs/universal-prompt-update-guide for more details.

Any issues you have having should be unrelated to this however, since you're having issues with the redirect to Duo, not with the prompt that Duo serves. One quick question, I see a reference to XHR in the error. Does your application submit the login credentials via a normal form submit or using XHR?

[nishant-rana-19]

@AaronAtDuo Sorry for the late reply. The application uses fetch POST request. The application is based on react.

[C41M50N]

I am also experiencing this same issue. I have a React web application that talks to a FastAPI API. When the redirect response is returned to the web app (after sending an initial get request), I receive an extremely similar error (in the console) to that of the one in the original issue.

Happy to answer any questions to get this resolved.

[AaronAtDuo]

We've received a few more reports of this issue in the last couple weeks. I believe what is happening is:

1. Folks are trying to add Duo to web applications that send login credentials to the server via XHR rather than a simple html form submit
2. The server is replying to the XHR with a 302 redirect to the Duo URL
3. Since this 302 is a reply to an XHR, it triggers a CORS preflight check (this may depend on the JS framework in use?)
4. Duo is not expecting a CORS preflight check and so does not respond appropriately
5. The CORS preflight errors out and so the whole redirect is canceled.
   if anyone who is still being affected by this issue could let me know it I seem to be on the right track, that would be very helpful.

If I am right, there may be a few options...
A) The example implementation of the server code is not assuming XHR is in use. Affected web applications could be updated to respond to the credential submit not with a 302 redirect but with something that indicates to the client-side JS about the URL to follow
B) Duo might be able to support the CORS preflight check better

[goulter]

@AaronAtDuo I know this issue is closed, but I am experiencing this very error.
I can generate the prompt_uri via the create_auth_url function.
When I tell Django to redirect to that prompt_uri like return redirect(prompt_uri), I get this error:

CORS missing allow origin
Status 405
Method Not Allowed
Version HTTP/1.1
Transferred 209 B (0 B size)
Referrer Policy strict-origin-when-cross-origin
DNS Resolution System