[Feature request] Additional CORS related header configuration

babelouest / glewlwyd

Experimental Single Sign On server, OAuth2, Openid Connect, multiple factor authentication with, HOTP/TOTP, FIDO2, TLS Certificates, etc. extensible via plugins

https://babelouest.github.io/glewlwyd

Other

429 stars 80 forks source link

[Feature request] Additional CORS related header configuration #201

Closed ghost closed 2 years ago

ghost commented 2 years ago

Is your feature request related to a problem? Please describe. There is no way to configure Allowed/Exposed headers through the Glewlwyd configuration

Describe the solution you'd like It would be very helpful if the following configuration attributes would be available for glewlwyd.conf apart from allow_origin="*": allowed_headers="" exposed_headers=""

Describe alternatives you've considered Maybe proxying Glewlwyd with nginx would allow to decorate the responses with the additional headers

babelouest commented 2 years ago

Hello @timmotw ,

That's doable, it's a small change in the option callback to display this configuration:

int callback_glewlwyd_options (const struct _u_request * request, struct _u_response * response, void * user_data) {
  UNUSED(request);
  UNUSED(user_data);
  ulfius_add_header_to_response(response, "Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
  ulfius_add_header_to_response(response, "Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Bearer, Authorization, DPoP");
  ulfius_add_header_to_response(response, "Access-Control-Max-Age", "1800");
  return U_CALLBACK_COMPLETE;
}

Do you think the Access-Control-Max-Age should also be controlled in the configuration file?

ghost commented 2 years ago

Hello @timmotw ,

That's doable, it's a small change in the option callback to display this configuration:

int callback_glewlwyd_options (const struct _u_request * request, struct _u_response * response, void * user_data) {
  UNUSED(request);
  UNUSED(user_data);
  ulfius_add_header_to_response(response, "Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
  ulfius_add_header_to_response(response, "Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Bearer, Authorization, DPoP");
  ulfius_add_header_to_response(response, "Access-Control-Max-Age", "1800");
  return U_CALLBACK_COMPLETE;
}

Do you think the Access-Control-Max-Age should also be controlled in the configuration file?

To be honest I added the code at the function you mentioned, but no matter what I would not see the header in the response.

babelouest commented 2 years ago

That's because this callback function is for the urls OPTION *, you're probably looking at the header response for a GET * request.

You may want to add new default headers here to test your changes: https://github.com/babelouest/glewlwyd/blob/master/src/glewlwyd.c#L544

ghost commented 2 years ago

Thank you @babelouest. I am pretty sure I added the code there as well but I will try again

ghost commented 2 years ago

@babelouest I have setup an nginx reverse proxy for Glewlwyd so I can control the headers accordingly at least for now. What I noticed is that after the /auth request redirects to the login.html page, the port is not the proxy's 80 port anymore but it is changed back to the Glewlwyd default port. Would it be a good idea to control this from Glewlwyd configuration or is there some other way I am missing here?

babelouest commented 2 years ago

Maybe you did not change the external_url value accordingly in your glewlwyd.conf file.

If that's not it, can you post the different urls that are accessed in your browser?

ghost commented 2 years ago

Maybe you did not change the external_url value accordingly in your glewlwyd.conf file.

If that's not it, can you post the different urls that are accessed in your browser?

That did the trick! Thank you !

ghost commented 2 years ago

@babelouest I tried the Auth. Code flow with this tool and it works great. The only thing I noticed is that on each Get New Access Token the login page appears. Is this expected? It is a matter of the Glewlwyd web application rather than a problem with the flow right?

Though If I request a token using the URL box and send it as a GET request I get the token without the login page:

babelouest commented 2 years ago

I don't know this tool so my guess would be to read its documentation or contact its author for these kinds of questions.

babelouest commented 2 years ago

So the following properties have been added to the config file:

# Access-Control-Allow-Methods header value, default 'GET, POST, PUT, DELETE, OPTIONS'
allow_methods="GET, POST, PUT, DELETE, OPTIONS"

# Access-Control-Allow-Headers header value, default 'Origin, X-Requested-With, Content-Type, Accept, Bearer, Authorization, DPoP'
allow_headers="Origin, X-Requested-With, Content-Type, Accept, Bearer, Authorization, DPoP"

# Access-Control-Expose-Headers header value, default 'Content-Encoding, Authorization'
expose_headers="Content-Encoding, Authorization"

It's still in development but you can test it by getting the git master branch of glewlwyd and its dependencies, especially ulfius.

ghost commented 2 years ago

@babelouest thank you very much for adding this!