OAuth CORS does not take into account RegEx

[fayalalebrun]

Describe the bug CORS rules are specified in the same field as redirect URLs. However, in contrast to redirect urls, CORS requests do not seem to use any form of RegEx.

https://github.com/goauthentik/authentik/blob/350f0d836580f4411524614f361a76c4f27b8a2d/authentik/providers/oauth2/utils.py#L44 In this line the URL is parsed and shortly afterwards compared directly to any of the passed rules. This function does not take any regex into account.

To Reproduce Steps to reproduce the behavior:

1. Go to 'Providers'
2. Create an OAuth Provider
3. Specify ".*" in the Redirect URIs field
4. Perform a request to the application/o/<slug>/.well-known/openid-configuration endpoint.
5. The CORS headers in the response will be missing.

Expected behavior CORS allowed origins respect the same RegEx rules as redirect URLs.

Logs

server_1       | {"allowed": [".+", "http://.*"], "event": "CORS: Origin is not an allowed origin", "host": "authentik.redacted.io", "level": "warning", "logger": "authentik.providers.oauth2.utils", "pid": 23, "request_id": "7197b556022548e1849a1814014b355f", "requested": ["http", "localhost:3000", "", "", "", ""], "timestamp": "2022-06-13T17:15:51.891612"}

Version and Deployment (please complete the following information):

• authentik version: 2022.6.2
• Deployment: docker-compose

Additional context I would like to accept CORS requests from a range of subdomains. Possible workarounds are appreciated.

[BeryJu]

just FYI this would've also been broken with the old system of allowing "*" as redirect_uri

[codingCoffee]

Hey! I'm hosting authentik being a reverse proxy (nginx) and my application is unable to access the openid-configuration because authentik is raising a CORS error. I tried putting * as the redirect_uri and also tried using the URL of my application. The CORS error persists in both cases. If there any fix / workaround for this?

[skiwheelr]

I am also having this issue. Tried . and .+

[rafalkrupinski]

What's the workaround?

[masfaraud]

any update?

[fooware]

@BeryJu; this issue was marked as bug/confirmed since the middle of 2022, any news?

The help text when creating / editing the provider doesn't really make it clear that you need to use different formats for the "Redirect URIs" and "Origins" even though they are in the same input box, nor explicitly mention that the suggested wildcard solution will not work for CORS.

Granted, we are running version 2023.10.7, so there might have been an update to this issue after that.

[idc77]

This is still an issue.

The "workaround" is to explicitly state every single redirect_uri.

Also this IDP or whatever you want to call authentik, needs a dev mode. In Keycloak one can just create a new client and use that as a dev client, with all the insecure redirect_uris. Here you need to create a completely new application.

I also don't like how all the userbase is shared across all applications. This collides with EUGDPR or rather the digital markets act.

[solomonaboyeji]

This issue does not make preview pages (URLs) work as they always have different sub-domain anytime a new PR is created.

[fooware]

I also don't like how all the userbase is shared across all applications. This collides with EUGDPR or rather the digital markets act.

@idc77, could you elaborate on that statement?