Option to allow CORS/OPTIONS

thomseddon / traefik-forward-auth

Minimal forward authentication service that provides Google/OpenID oauth based login and authentication for the traefik reverse proxy

MIT License

2.14k stars 408 forks source link

Option to allow CORS/OPTIONS #186

Open abarthol opened 4 years ago

abarthol commented 4 years ago

Is it possible to add "Access-Control-Allow-Origin" in header on the redirect?

I get Access to fetch at 'https://some-url' from origin 'https://some-other-url' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Traefik headers middleware (https://docs.traefik.io/middlewares/headers/) seems not to work together with forward auth.

thomseddon commented 4 years ago

I think you could work around this by creating a rule:

rule.allow-cors.action = allow
rule.allow-cors.rule = Method(`OPTIONS`)

This will forward the OPTIONS request through to your app, could you test if something like that would work?

If may make sense to add a built in option to allow something like this

abarthol commented 4 years ago

That's sounds like it could work for me.

I'll try.

thomseddon commented 3 years ago

Leaving this open to track the possible enhancement

muly commented 3 years ago

@thomseddon , could you please help me understand in which file these rules needs to be added?

thomseddon commented 3 years ago

You can either add a configuration file, which you point to with the --config parameter or $CONFIG env var (as documented in README)

Alternatively, you can specify rules as parameters like this: https://github.com/thomseddon/traefik-forward-auth/blob/6c6f75e80dcea7e4d5bd3fcdf638a0b016544f19/internal/config_test.go#L51-L54

davidbayo10 commented 3 years ago

Same problem here! i think OPTIONS request should not be authenticated. I think, by default should be disabled and enabled if desired.

davidbayo10 commented 3 years ago

I currently fixed this as mentioned. Here you have my piece of code for a kubernetes deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik-sso
  labels:
    app: traefik-sso
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik-sso
  template:
    metadata:
      labels:
        name: traefik-sso
        app: traefik-sso
    spec:
      containers:
      - name: traefik-sso
        image: thomseddon/traefik-forward-auth:2
        args:
          - "--rule.http-options-requests.action=allow"
          - "--rule.http-options-requests.rule=Method(`OPTIONS`)"

Radiergummi commented 1 year ago

Correspondingly, for a Docker {Swarm,Compose} deployment:

  forward-auth:
    image: "thomseddon/traefik-forward-auth:2"
    command:
      - "--rule.http-options-requests.action=allow"
      - "--rule.http-options-requests.rule=Method(`OPTIONS`)"

We use traefik-forward-auth to put our staging environment behind an access control layer so only employees can access it. In there, we deploy feature branches on subdomains like foo.staging.bar.com, which still talk to the staging API at staging.bar.com - so now CORS is involved. When including credentials with the requests, things will mostly work, except for preflight requests - which are sent without credentials per the spec, thus forward-auth won't accept them. Configuring this exception solves the issue.

Maybe it would be good to add a paragraph to the Readme? I spent a while before landing here...