-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add configurable CORS support to SSO Proxy #251
Comments
I believe I'm also running into this, @adityarkj would it be possible to host that image publicly? |
@spencergilbert That would be possible, yes. However, I'd need to touch up the code a little bit before hosting it somewhere, which I might not get time to do for a few weeks at least. |
I think I have the same issue. Earlier I tried to do path-based routing and when that didn't work, I went in this direction. How do others solve this problem of having an authentication-protected frontend sending requests to an authentication-protected backend at a different origin? Seems like it would be a common scenario. I tried to set |
Yeah, I'm trying to get this to work for Grafana and Prometheus, with similar issues. |
I came across this issue too because of the exact same scenario. But for the record...
The SSO proxy does not actually set the CORS headers. It is your upstream application that is setting it, and you need to ensure that there is a specific Finally, set the With the aforementioned in mind, it is very much possible to have both a backend, and frontend proxied through SSO with the frontend being able to talk to the backend. That said, it would be nice to be able to intercept preflight requests / handle CORS at the proxy level. But, perhaps it may bloat the SSO proxy with features that should probably be handled by more complex API gateways like Kong. |
This was a mess for me to figure out; What I ended up doing which works for us because we control both sides of this is:
This is the only thing that I could get working smoothly and consistently. Biggest problem I ran into on the buzzfeed-sso side was the sso-auth.redacted.tld getting blocked because of CORS... I think if I could set the response headers from that to include |
Is your feature request related to a problem? Please describe.
We have a frontend service, behind SSO, running on
frontend.sso.example.com
that makes XHR calls to a backend service atbackend.sso.example.com
.While accessing
frontend.sso.example.com
as an authorised user from Chrome, the session cookie fromfrontend.sso.example.com
isn't being forwarded tobackend.sso.example.com
because the XHR responses from the SSO proxy have the wildcard (*) Access-Control-Allow-Origin header, which is blocked according to CORS - since the two services are on different origins.CORs requires the Access-Control-Allow-Origin header on the XHR response to match the origin domain to forward cookies across different origins.
Describe the solution you'd like
An option to configure CORS for the proxy through environment variables on the Proxy would be great. Or alternatively, a way to configure CORS individually on services through the upstream config file.
Describe alternatives you've considered
I attempted to play around with some of the configuration options currently available, both through the proxy configuration file and through the upstream configuration file, but wasn't able to bypass the issue we faced. In the end, I cloned the project and manually added a CORS library, which we then hosted on our private container registry to use with our services.
Additional context
My issues have been on Chrome and I haven't tested on other browsers
The text was updated successfully, but these errors were encountered: