I’m currently implementing CIS2 separate auth and have created a config in connection manager with a local host redirect.
I can happily redirect and authenticate but then I end up on the authorize page with “Submit this form” as the title and a console error of “Sending form data to ‘https://localhost:7042/Authentication/NHSCallback’ violates the following Content Security Policy directive: “form-action ‘self’ https://nhsmailmo.b2clogin.com/nhsmailmo.onmicrosoft.com/oauth2/authresp.”
How can I get past this?
We don’t support form-post as a return method as we enforce CSP. Please use query parameter instead or reach out to our onboarding team
Hi John, I am redirecting using a get method. I then go through the while NHS authentication process using a security key. The error seems to be how it a then tries to return to my application https://localhost:7042/Authentication/NHSCallback. This is my redirect url.
I’ve figured it out if anyone else comes across this issue. I am using .Net and using the .Net tutorial example which it would seem is out of date.
When you are configuring authorisation in the AddOpenIdConnect method do this:
options.ResponseMode = OpenIdConnectResponseMode.Query;
options.ResponseType = OpenIdConnectResponseType.Code;
Then life is good.
Please feel free to post a PR to the examples if there are issues, as mentioned in your other post, these are managed by the API team at the moment
Hi Steve, I’m working on a .NET 8 API that tries to access Spine INT via CIS2 Separate Auth mode. I hit the same problem with form post as you did and adding “query” option to the OpenIdConnect options in Program.cs helped me get past that, thanks to you.
Just wondering if you’d already cracked the CIS2 bit as I hit another exception-“InvalidOperationException: An invalid request URI was provided. Either the request URI must be an absolute URI or BaseAddress must be set.”
Here’s the authority that I provide - https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/
And my callback URL is - https://localhost:7010/auth/cis2/callback
I’d appreciate any help/tips.
Cheers,
Prince
I can’t comment on any .Net library being used, but it looks like you either need to provide the base path (so it can find and use the well known configuration) or explicitly provide all CIS2 Auth URLs. From the message you are mixing these two options
The base URL cannot include the well known configuration parts - this is added by your library
Hi John,
You’re right — the well-known configuration part is added by the .NET OpenID Connect library. I’ve omitted it, so the final auth URL now looks like this:
https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare
However, I’m still ending up with a blank OAuth2 error page.
This is my first time using OpenID Connect, and I don’t fully understand what’s happening under the hood. Because of that, I’m struggling to identify where I might be going wrong or what I’m missing.
I’m sharing the URL of the error page below in case it helps with diagnosing the issue:
https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/authorize?
client_id=1111111111.MyProduct-integration.uniqueGuid.apps&
redirect_uri=https%3A%2F%2Flocalhost%3A7010%2Fsignin-oidc&
response_type=code&
scope=oidc%20profile%20nationalrbacaccess%20email&
code_challenge=NxPZ4f1eviKxKzRSe706sx8QjY_h-GYkn72-Xm0ninY&
code_challenge_method=S256&
nonce=639179767301631308.OGQxYzE2ODYtNzBjZS00N2NmLTg2ZmEtMjZiNmM1YTUyOWEwYjZjMGFlN2MtODBlNC00YjQ2LWE4MjAtN2NhYTRmZjI3N2U0&
acr_values=AAL3_ANY&
state=CfDJ8Lxd15ml6FpKsZYO4CHQkzNJtTSIfGN1r494fvhKHnvhgLwO-lTgOfbMmCnf0zOUtD68Tj86wwwP_MmxiD06QGuHoZHAwM03hOiw-wTFdTBlYGhXvNnMhOzx2vxXenV5sFu8fAyO052kZ7o1B-x1eYobYkUqCGUjhRBLTyRnBvYtn4wbb2pBBhaNhUnq-sPz3s4zhB5fmyGpOqCUJtJzZZSdNgb-fOkjgAt2dcozyFHzYYIBDVeYdCbC01MJhco0-aRhOSlfYHIy2qhDb0b0AgcESczoePEJgONjcsvJKD0Lx5YuWwU0EW9kJ2rYND6QRl–Opob6YrJqfuE_TolarmIg78FI9915GqG00cklGBUeP1dWGmomaJqmtXMLC9R0K8pxuNT_ew7LPdDucOvB7MSzHzFNzxosEUcNMpZGQcl&x-client-SKU=ID_NET8_0&x-client-ver=7.0.3.0