Open kamilkloch opened 1 year ago
I have experienced the same problem.
oathkeeper appends duplicate CORS headers to the response (in addition to CORS headers added by the underlying services).
This could be avoided if we could strip upstream headers, however there doesn't seem like there's a supported way to do this.
Wouldn't the easier solution be to turn off the cors headers on the upstream, if oathkeeper handles them anyways, or vice versa (turn of in oathkeeper, turn on in upstream)?
@aeneasr
turn of in oathkeeper, turn on in upstream)
this way you will not have correct cors if client send request with incorrect or expired session
Wouldn't the easier solution be to turn off the cors headers on the upstream, if oathkeeper handles them anyways, or vice versa (turn of in oathkeeper, turn on in upstream)?
We turned off CORS header for oathkeeper, but the error handler gets CORS error ...
Could we enable oathkeeper to configure CORS headers only for error handlers?
@aeneasr
Preflight checklist
Describe the bug
We are using oathkeeper and kratos services. When oathkeeper CORS config looks as follows:
then the request
produces the following output in the headers:
oathkeeper appends duplicate CORS headers to the response (in addition to CORS headers added by the underlying services).
This is quite problematic, as it breaks CORS requests issued by the browser: https://crashtest-security.com/multiple-values-access-control-allow-origin/ "While the header does support multiple origins, browsers usually do not. "
Reproducing the bug
curl -v 'https://webapi-user.our-company.com/api/v1/datafeed/rollingbar?name=ADAUSD' -H 'origin: https://ui-admin.our-company.com'
Relevant log output
No response
Relevant configuration
Version
0.40.2
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response