keyclock: Load denied by X-Frame-Options message

[vangelisv]

When opening (loading) a widget in Wirecloud/FiSpace we get the following message:

Load denied by X-Frame-Options: http://auth.ee.fispace.eu:8080/auth/realms/fispace/tokens/login?client_id=ffa2&redirect_uri=http%3A%2F%2F37.131.251.130%3A8088%2Fapi%2Fwidget%2FAgrostis%2Fifarma-ffa%2F0.0.8%2Fxhtml%3Fredirect_fragment%3Did%253D504%26prompt%3Dnone&state=33df2156-0756-4d1d-8c9f-aec12d93e739&response_type=code&prompt=none does not permit cross-origin framing.

Our keycloak.json:

{
  "realm" : "fispace",
  "realm-public-key" : "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
  "auth-server-url" : "http://auth.ee.fispace.eu:8080/auth",
  "ssl-required" : "none",
  "resource" : "ffa2",
  "public-client" : true,
    "enable-cors" : true,
  "cors-max-age" : 1000,
  "cors-allowed-methods" : [ "POST", "PUT", "DELETE", "GET" ]
}

[vangelisv]

Seems to me related to
https://bitbucket.org/fispace/core/issues/1119/authorization-of-app-back-end-fails-when

[perezdf]

could be. Anyway, can you provide the widget anywhere where we can take it and reproduce the exact behavior? either the store or the source link

[vangelisv]

I cannot upload anything to the store. It is not working for me. There is a related issue open in this repo
But you can find the wgt at https://ffa.agrostis.gr/ifarma-ffa-0.1.wgt

[perezdf]

Well, I have found the solution, it is related to the issue above but not exactly the same, the solution is more related to the wirecloud configuration

You can check yourself in the following instance
http://195.87.138.166:8080/gui

The continuity of service is not warranty because this instance is used for the integrations (on the other hand, I have completed control of it)

Please, @ccelators, create an issue in phase3support issue tracker. I would support directly with the solution and support team may implemented when they consider.

[vangelisv]

Thanks for the quick reply!
I've created an account to the 195... instance but I also need developer role to register the OAuth client in this instance...

[perezdf]

well, to deploy the widget you can used directly what you provided me before, but I will assign you the role you want

[perezdf]

take into account this instance is based on version 15, therefore, there are some changes like the version of keycloak 1.1.0, changes in the api from 0.14.3 to 0.15.0, etc... also changes in the version of wirecloud and wstore, etc...

[vangelisv]

I see there are changes. I uploaded the same .wgt I send you and still receive the same message:

Load denied by X-Frame-Options: http://auth.ee.fispace.eu:8080/auth/realms/fispace/tokens/login?client_id=ffa2&redirect_uri=http%3A%2F%2F195.87.138.166%3A9090%2Fshowcase%2Fmedia%2FAgrostis%2Fifarma-ffa%2F0.0.8%2Findex.html&state=b53ae4a8-ef9a-4ea9-a40b-fed10dcd9d92&response_type=code does not permit cross-origin framing.

I'm not sure what (if any) changes are needed to the .wgt itself

[perezdf]

I think this is different issue, isnt it? first one was just opening the widget and second one, you are trying to send something (just in order to get focus myself), right?

Take into account the instance 195... is different than EE, different domains, different sdi end points, even more different APIs.

If you still continue with the attempt, you should aim to sdi endpoint in 195.... where is located

http://195.87.138.166:8080/sdi/admin-api/capabilities

[perezdf]

by the way, let me ask, what is the goal of this widget? I can understand and frontend indepent administration of the capability model (I have it and recommend you for backends), but in a widget which is or should be integrated into the frontend. I presume it just a test, right?

[vangelisv]

Yes it is just a test. For the moment we develop our widget locally and now we try to integrate with keycloak in FISpace EE. The keycloak integration WORKS if we run the widget locally (outside wirecloud). We receive the auth token OK.
Inside Fispace (wirecloud) we have the issue of cross-origin. It seems to me the same issue with the EE

Load denied by X-Frame-Options: http://auth.ee.fispace.eu:8080/auth/realms/fispace/tokens/login?client_id=ffa2&redirect_uri=http%3A%2F%2F195.87.138.166%3A9090%2Fapi%2Fwidget%2FAgrostis%2Fifarma-ffa%2F0.0.8%2Fxhtml%3Fredirect_fragment%3Did%253D2%26prompt%3Dnone&state=0863a383-4af4-4241-8e46-0450805d6a4e&response_type=code&prompt=none does not permit cross-origin framing.

Error happens when I try to reload the widget in the workspace, both in EE and in 195... instance

[vangelisv]

BTW also, do you have any idea why store is not working?

[vangelisv]

Also the cross-origin issue is being discussed in
https://bitbucket.org/fispace/phase3support/issues/31/fispace-and-applications-issue-with-cross

[perezdf]

Issue 31# was related to specific version of firefox. We hace been working on it in the issue tracker SAF2 (original issue)

Regarding of store, I didn't check yet

Regarding of this specific issue connecting, after fixing the issue during deployment, take into account it is different instance, changes have been done in 195... You are trying to connect to http://auth.ee which is different domain/machine

[perezdf]

I have made some changes in the original widget

https://bitbucket.org/fispace/phase3support/downloads/ifarma-ffa-0.5.wgt

you can see a new link called "click" (above status) which calls a GET over sdi endpoint. At least in my wirecloud work space, I dont find the "Load denied"