Post

2 followers Follow
0
Avatar

How to pass authentication cookie from another site

Hi,

I'm attempting to set up an integration between Clarizen and another web-based tool our company uses. That tool has an app system that runs via Javascript from the browser. I'm able to call to the login endpoint and get a valid session cookie back, but when I try to pass that back into the EntityQuery datapoint I'm running into issues. By default, that request doesn't include the cookie I obtained from the login call, so I'm trying to force it to pass in using the XMLHttpRequest object's withCredentials flag, which does cause the cookie to be passed in on the request, but throws an error to the browser console: 

XMLHttpRequest cannot load https://api2.clarizen.com/v1.0/services/data/EntityQuery. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin {vendor URL} is therefore not allowed access.

My request to the EntityQuery endpoint looks like:

getClarizenCustomer: function(customerName) {

return {

cors: true,

url: this.resources.SERVER_LOCATION + 'data/EntityQuery',

xhrFields: { withCredentials: true },

type: 'POST',

dataType: 'json',

data: { /* query goes here */ }

}

What's the correct way to make sure the cookie is passed in without violating those security constraints?

Alexander Kahn Answered

Please sign in to leave a comment.

5 comments

0
Avatar

Alexander, 

To better understand this request, can you let me know how/where you are doing this within Clarizen? Are you using the API or are you simply trying to create Custom Panel/Custom Page with the javascript/html code within it?

Boris Krutiy 0 votes
Comment actions Permalink
0
Avatar

I'm not doing this from within Clarizen, I'm making the call to Clarizen's API from another site using their JS app platform.

Alexander Kahn 0 votes
Comment actions Permalink
0
Avatar

Hi Alexander,

Passing on cookies between web sites may introduce security issues, even if it is eventually possible. You may want to login to Clarizen on the server side instead if that platform allows it. 

As for the issue you're experiencing, your implementation of passing the cookie seems to be violating some security rules on the platform you're using. I'm not sure it's directly related to Clarizen. If you have to login on the client and pass the cookie on, I suggest you Google that error message. I found at least one link which seems to be relevant:

http://stackoverflow.com/questions/24531864/wildcard-cors-with-allowcredentials-true

Hope this helps,

Ophir

Ophir Kenig 0 votes
Comment actions Permalink
0
Avatar

Thanks for your response, Ophir. I'd taken a look at that Stack Overflow link as well, but the solution provided there seems to be a configuration change on the server side rather than a modification of the request, so unfortunately it's of little help to me.

Other than requiring CORS to pass cookies, I don't believe the platform is doing anything specific to cause this issue. For reference, I've attached an HTML file that triggers the same error when run.

Is there any way, other than using a cookie, to pass in authentication data?

Thanks,

Alexander

Alexander Kahn 0 votes
Comment actions Permalink
0
Avatar

Hi Alexander.

CORS may pass cookies, but as far as I know, it can do it only if the target site specifies the sending site specifically in the headers.

Obviously Clarizen cannot specify your site specifically and uses '*' in the Access-Control-Allow-Origin header, but  when '*' is used you cannot send cookies (see http://en.wikipedia.org/wiki/Cross-origin_resource_sharing), which is what I understand from the browser error message. As the browser doesn't pass the cookie, you're not authenticated and the request fails.

All in all, logging in to a different site and using the session cookie of that site to make further requests seems to be impossible on a browser script , because of browser security limitations. 

I do suggest you login and perform the queries on your server side if you can.

Hope this helps,

Ophir

Ophir Kenig 0 votes
Comment actions Permalink