application/o/authorize endpoint missing CORS headers

[mdelpire]

Describe the bug Not sure it is a bug or a misconfiguration somewhere... Web application is calling the /application/o/authorize/ endpoint from the browser.

It is failing with the message in the Chrome Debug Console

Access to fetch at 'https://auth.mydomain.com/application/o/authorize/?client_id=xxxxxxxxxx&redirect_uri=https%3A%2F%2Forigin.domain.com%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=email+profile+ak_proxy+openid&state=m2qJvqqq3tNbVgvzIgz7h6l3w4-hErhUX1fd5WmLJ_g' (redirected from 'https://origin.domain.com/info') from origin 'https://origin.domain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

I do not see the headers : access-control-allow-origin: https://origin.domain.com

To Reproduce Steps to reproduce the behavior:

Create a Forward auth (Single Applicaiton) provider and set External host to https://origin.domain.com Make sure the user was already logged in --> no new login requested. Try to get authorisation from https://auth.mydomain.com/application/o/authorize/

Expected behavior Preflight contains CORS headers access-control-allow-origin: https://origin.domain.com

Version and Deployment (please complete the following information):

• authentik version: 2024.4.2
• Deployment: docker-compose