search

Kong / kong

🦍 The Cloud-Native API Gateway and AI Gateway.
https://konghq.com/install/
Apache License 2.0
39.35k stars 4.82k forks source link

CORS error when accessing METABASE through kong and keycloak #13899

Open iilr-g opened 5 days ago

iilr-g commented 5 days ago

Is there an existing issue for this?

Kong version ($ kong version)

I'm using kong:2.8.5-alpine with the OIDC plugin provided by Nokia (https://github.com/nokia/kong-oidc)

Current Behavior

My current scenario is a Service Provider (Metabase) which has to be accessed once the user has been authenticated via keycloak. The main point and particularity is that, given that the authentication by keycloak is a must to provide access to Metabase, the authentication is not passed to Metabase (I'm not using key auth plugin), so the user will be allowed to access the Metabase service and then she/he will need to provide credentials in the Metabase login page to access.

So everything is working as expected: I try to access /metabase through kong, and it redirects to keycloak. I give the credentials, then APPARENTLY I'm redirected to metabase. The point is that when the browser is trying to download some resources from metabase, it gives CORS error, and some errors through the console like:

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'

Note that also I was expecting to be fully in metabase when the previous authentication with keycloak was performed, but I still see some redirects with this path:

http://keycloak-idb:9092/realms/MetabaseConnect/protocol/openid-connect/auth?scope=openid&nonce=7e666b6c4c16668db3a7a967b6570482&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fmetabase%2Fapp%2Ffonts%2FLato%2Flato-v16-latin-regular.woff2%2F&response_type=code&state=1d6b58c6971f333df8dd405f002c7f14&client_id=kong

when trying to download the resources, which is also something I don't fully understand, as once the authentication is completed kong should just let the requests flow between the browser and metabase, not involving keycloak again unless the token is expired (which is definitely not the case).

Thanks beforehand

Expected Behavior

explained before

Steps To Reproduce

-

Anything else?

no

xianghai2 commented 4 days ago

The recommendation is to use Kong version 3.8 .

iilr-g commented 4 days ago

The recommendation is to use Kong version 3.8 .

Even changing the kong version to 3.8.0 the error remains the same

chobits commented 6 hours ago

hi @iilr-g

We’d like to assist you, but your issue involves a wide scope of background knowledge, which may require significant time for other Kong community members to fully understand and investigate. After reading your description twice, I still find it challenging to grasp the core of the problem, especially regarding aspects like Metabase, CORS, and the unlinked resources you mentioned.

To help us better understand and debug the issue, could you narrow down the problem scope? For example, provide details on what you expect from Kong (e.g., output/behavior), the current behavior you're observing, and, most importantly, a minimal set of steps to reproduce the issue.

And from your description, I have some question like

The main point and particularity is that, given that the authentication by keycloak is a must to provide access to Metabase, the authentication is not passed to Metabase (I'm not using key auth plugin), so the user will be allowed to access the Metabase service and then she/he will need to provide credentials in the Metabase login page to access.

I dont know how kong works in this proxy chain, like client --> kong --> metabase ? Does kong need to handle the authentication by keycloak? (Also note that i have no backgroud knowledge of authentication by keycloak)

The point is that when the browser is trying to download some resources from metabase, it gives CORS error, and some errors through the console like: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'

I also didnt know this error, so I seek help from gpt chat bot, I think that means we need let your backend server or Kong return right header like Access-Control-Allow-Origin, you could dig up this problem from this point.

Note that also I was expecting to be fully in metabase when the previous authentication with keycloak was performed, but I still see some redirects with this path: http://keycloak-idb:9092/realms/MetabaseConnect/protocol/openid-connect/auth?scope=openid&nonce=7e666b6c4c16668db3a7a967b6570482&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fmetabase%2Fapp%2Ffonts%2FLato%2Flato-v16-latin-regular.woff2%2F&response_type=code&state=1d6b58c6971f333df8dd405f002c7f14&client_id=kong when trying to download the resources, which is also something I don't fully understand, as once the authentication is completed kong should just let the requests flow between the browser and metabase, not involving keycloak again unless the token is expired (which is definitely not the case).

I am guessing the authentication you descriped is not a single http request for kong/backserver, I think we need to figure out firstly how the request streams run and then investigate which request encounter problem.