Authenticating (REST) - OPTIONS Request returns 405 Method Not Allowed

Hello everybody,
I’m using ForgeRock Access Management 7.2.0 Build 64ef7ebc01ed3df1a1264d7b0400351bc101361f (2022-June-27 08:15) and I’m following the instructions in the page Build a protected web app with React.

Everything seems to be setup correctly (CORS included ofc since my test app and my local AM are deployed on using 2 different host names) and the app is correctly displayed in the browser. The only difference with the tutorial is that I setup my application and my local version of AM to run in HTTP and not HTTPS.

When I click on the sign-in button the browser generate 2 request (due to CORS):

The preflight request:
OPTIONS http://identity.sp.am.local.lan/am/json/realms/root/realms/alpha/authenticate?authIndexType=service&authIndexValue=Login
which fails with: 405 Method Not Allowed

and the actual request:
POST http://identity.sp.am.local.lan/am/json/realms/root/realms/alpha/authenticate?authIndexType=service&authIndexValue=Login
which is then blocked by the browser because the preflight failed: CORS error

I then tested with postman the OPTION request and it also fails with status code 405.

So I’m wondering why my AM do not accept OPTION requests for this API endpoint.
Is it because HTTP and not HTTPS? Or is this a BUG?

Am I missing anything else?
Thanks in advance for your support.

Hi @savareda

Have you tried adding OPTIONS as an allowed method in your CORS configuration? I recall encountering this in the past and I believe that was how the issue was resolved.

HI @savareda,

I remember having the exact same issue with the tutorial - and, if I remember well, http was the issue. It might be better using a secure connection with AM - as anyway - in real applications - this is what should be done,

Regards
Patrick

Hello, thanks for your feedback!

@mwtech I tried, didn’t work :frowning:

@patrickdiligent Then I’ll try changing the setup to https. Of course it what is done in prod but for a local configuration on my machine, which I use for testing features, is just a bit annoying to do all the fuss to use https .