Tag Archives: K2 5.0

K2 5.0 unable to read CORS settings from SmO when using the Workflow REST API in JavaScript

If you are trying to use K2 Workflow REST API in JavaScript (as described in product documentation) you may see the issue described below (and you may want to upgrade to 5.1 to resolve it 😉 ).

You have CORS settings configured correctly for domain which hosts your JavaSript, i.e. you have settings similar to these:

Workflow REST API Settings

Screenshot above assumes that your JS resides within js.denallix.com domain, upon attempt to execute JS code you will be getting errors.

Using Chrome you will be getting the following error:

1 Failed to load https://k2.denallix.com/Api/Workflow/preview/workflows/?_=1523444398270: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘https://js.denallix.com’ is therefore not allowed access. The response had HTTP status code 400.

IE will also give you an error but less clear one:

SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.

Here is the screenshot of error message from Chrome browser:

And here is what you can see in Fiddler:

In case you want to reproduce this you may use sample code which returns a list of Workflows either owned or startable for the user credentials supplied from K2 documentation).

So you would expect CORS settings configured for Workflow REST API supposed to ensure we have it working fine, but it does not work. What’s wrong here?

If you enable Workflow API logging you can see the following in this log:

w3wp.exe Warning: 0 : Failed to retrieve CORS settings.
System.InvalidOperationException: Failed to determine user principal name
at SourceCode.Forms.AppFramework.ConnectionClass.HandleIdentityImpersonation(Boolean asAppPool, Action action)
at SourceCode.Forms.AppFramework.ConnectionClass.TryCredentialToken(BaseAPIConnection connection, String credentialToken, Boolean asAppPool)
at SourceCode.Forms.AppFramework.ConnectionClass.GetPoolConnection(Boolean asAppPool, Boolean& tokenApplied, String& credentialToken)
at SourceCode.Forms.AppFramework.ConnectionClass.Connect(BaseAPI baseAPI, Boolean asAppPool)
at SourceCode.Web.Api.Common.DataContexts.K2DataContext.EnsureConnectionIsOpen[T](T api)
at SourceCode.Web.Api.Common.DataContexts.K2DataContext.GetCorsSettings()

This means that when you send the request, the workflow API tries to retrieve the CORS settings from the SmartObject. When it does that, it makes a connection to host server. For some reason the connection is failing with an error “Failed to determine user principal”.

Because of this exception CORS settings are not retrieved and the list of allowed origin is empty on the web API side and this lead to the error mentioned above (The response had HTTP status code 400). In K2 5.0 something in the stack is not parsing/decoding the authentication credentials (from the state it was coming from the AJAX call) correctly and thus the identity isn’t recognized causing a failure in the connection.

If you are still on K2 Five (knowing how many people running older version I’m not very comfortable with this wording 🙂 ) your workaround for this issue is to remove the authorization header from the AJAX call and let the browser prompt you for username and password. Here is sample HTML code for that (essentially we just removing var username and war password in $.ajaxSetup):

But in case you running new and shiny 5.1 or ready to upgrade your 5.0 environment to this version, it will work just fine there without need to employ any workarounds.

And here is the ling to official KB covering the same issue: “Failed to load….No Access Control Allow Origin.”