search

ThreeMammals / Ocelot

.NET API Gateway
https://www.nuget.org/packages/Ocelot
MIT License
8.24k stars 1.62k forks source link

'authorization' is missing in Access-Control-Allow-Headers only in a specific request #2093

Closed mtlive closed 4 weeks ago

mtlive commented 1 month ago

We tried to use Ocelot for our gateway, but our signalR requests (in http) ended up in Error 401 Unauthorized. I looked up the network requests and noticed that 'authorization' is missing in Access-Control-Allow-Headers: image

This problem doesn't exist when connected directly or for other requests in other paths. I even tried to create a separate route for this pass but the issue still remains.

Expected Behavior

authorization should be included in Access-Control-Allow-Headers in OPTIONS request method image

Actual Behavior

It's missing

Specifications

raman-m commented 1 month ago

Hello @mtlive ! Welcome to Ocelot world! 🐯

Indeed, authentication and authorization have not been implemented in Ocelot for the Websockets feature. There's an ongoing issue, #1040, which is currently in progress. However, it's unclear when it will be resolved as there are no open PRs at the moment.

I will mark our issue as a duplicate of #1040. At least we have implement both tickets #1040 and #2093 in one PR. Let me know if this issue is about another dev case.

This problem doesn't exist when connected directly or for other requests in other paths. I even tried to create a separate route for this pass but the issue still remains.

When you said "directly" did you try without Ocelot or with Ocelot? Did you test anonymous route definition? I mean if you want Authorization by Ocelot and it is not implemented, then you have to redefine to route anonym traffic only.

Show us your ocelot.json plz!

Ideally, better to upload your solution to GitHub as a repo.

mtlive commented 1 month ago

Indeed, authentication and authorization have not been implemented in Ocelot for the Websockets feature.

I don't do authentication at Ocelot, it'll be done at the service. Furthermore, this request isn't in WebSocket.

When you said "directly" did you try without Ocelot or with Ocelot?

By directly I mean without Ocelot. My configuratin:


  "Routes": [
    {
      "DownstreamPathTemplate": "/api/{everything}",
      "DownstreamScheme": "http",
      "SwaggerKey": "officeautomation",
      "DownstreamHostAndPorts": [
        {
          "Host": "192.168.10.209",
          "Port": 5001
        }
      ],
      "UpstreamPathTemplate": "/officeautomation/api/{everything}"  
    }
  ]
}
raman-m commented 4 weeks ago

Okay, it appears I've identified the issue. However, I need to examine your C# configuration code.

🙏 Provide your Ocelot setup and configuration C# code, specifically the program.cs file❗

My current understanding of your problem is missing CORS setup in Ocelot web app.

Finally I'd say you need this setup to enable OPTIONS via CORS:

raman-m commented 4 weeks ago

Apologies, this isn't an actual issue but rather a misconfiguration. I will convert this to a discussion...