goauthentik
application/o/authorize endpoint missing CORS headers
Describe the bug Not sure it is a bug or a misconfiguration somewhere... Web application is calling the /application/o/authorize/ endpoint from the browser.
It is failing with the message in the Chrome Debug Console
Access to fetch at 'https://auth.mydomain.com/application/o/authorize/?client_id=xxxxxxxxxx&redirect_uri=https%3A%2F%2Forigin.domain.com%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=email+profile+ak_proxy+openid&state=m2qJvqqq3tNbVgvzIgz7h6l3w4-hErhUX1fd5WmLJ_g' (redirected from 'https://origin.domain.com/info') from origin 'https://origin.domain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
I do not see the headers : access-control-allow-origin: https://origin.domain.com
To Reproduce Steps to reproduce the behavior:
Create a Forward auth (Single Applicaiton) provider and set External host to https://origin.domain.com
Make sure the user was already logged in --> no new login requested.
Try to get authorisation from https://auth.mydomain.com/application/o/authorize/
Expected behavior
Preflight contains CORS headers
access-control-allow-origin: https://origin.domain.com
Version and Deployment (please complete the following information):
- authentik version: 2024.4.2
- Deployment: docker-compose
This is probably because the preflight request is returning a 302 found instead of a 200 success.
It might be the case as if I clear the cache everything works fine. How can I prevent this 302 and force to get the request?
On Sun, Jun 23, 2024 at 9:59 PM Martin Fracker, Jr. < @.***> wrote:
This is probably because the preflight request is returning a 302 found instead of a 200 success.
— Reply to this email directly, view it on GitHub https://github.com/goauthentik/authentik/issues/10057#issuecomment-2185307431, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGA4IOI6DKPYOQEBEYOQ67LZI4SLFAVCNFSM6AAAAABJB75OWOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBVGMYDONBTGE . You are receiving this because you authored the thread.Message ID: @.***>
I have exact the same issue. in "InPrivate"/Incognito windows it works. but in normal window I get blocked by CORS policy.
authentik version: 2024.6.2 deployment: helm kubernetes with nginx ingress
Exact same issue. Fresh installation. K0s and ingress with nginx + load balancer + cloudflare.
Deployed with helm. Latest version.
Hello, same issue here.
When a user made a post request on my webapp and their token is invalid, it will redirect to the authorize endpoint. In this case, the browser will make a preflight/OPTIONS request that will return 200 without the header access-control-allow-origin. That way, the next GET request will be blocked by the browser.
Looking at the code, it seems that the authorize endpoint doesn't call the method cors_allow. So any OPTIONS request to that endpoint will fail.
I don't know if this is expected, though :/
Also facing this same issue. In my case, the application works fine when i'm logged in. But, i have set some paths in the Unauthenticated Paths list, and when i try to access any of these paths from an unauthenticated browser, i get CORS errors.
Same here, I suspect this is causing issues with properly getting scopes from authentik: username, email, ak_proxy, etc...
+1, have the same issue when trying to reverse proxy to this project https://github.com/will-moss/erin
I'm running traefik in front of the outpost (embedded), adding something like this in the labels and assigning the middleware to the router fixes the issue for now:
traefik.http.middlewares.authentik-cors.headers.accessControlAllowOriginListRegex: ^https://.+\.(subdomain1|subdomain2)\.example\.org
Same issue using Caddy as reverse proxy (for Immich)
exactly the same issuer with ingress-nginx as reverse proxy.
Right-clicking and Reload the page always temporarily resolves the issue. 🙂 It seems the browser is handling the authentication session cache, which allows it to bypass the CORS preflight check. At least works
I am also seeing this issue myself and have spent hours trying to troubleshoot.
Anyone got anywhere as of yet?
Hello, After some research, I've found that authorization endpoint not doing cors policy is not a bug but is designed that way: Best Current Practice for OAuth 2.0 Security.
So the problem is our application does a cross-origin request to this endpoint, which should not handle it.
In my case, the webapp was making a $http post request to my server, which responds a 302 to the authorize endpoint, triggering a cors policy request and failure...
I fix that by making my server responds an 200 with data: {"redirect": <authorize_endpoint_url>} to which the webapp does a simple get request and this works now.
Hope it can help!
can u guide me bro where you've passed data..
axios.post(
`https://localhost:9443/application/o/prepaid-card-fino-isu/end-session/`,
{ redirect: "https://localhost:9443/api/v3/flows/executor/default-provider-invalidation-flow" }, // Request body
{
params: { // Query parameters
id_token_hint: idTokenHint,
post_logout_redirect_uri: "http://localhost:3000/home",
state: ""
},
headers: {
"Content-Type": "application/json"
},
mode: 'cors'
}
)
.then(() => {
console.log("Logout successful");
setUserInfo(null);
setIdTokenHint(null); // Clear token hint
window.location.href = "http://localhost:3000/home"; // Redirect to Home/Login
})
.catch(error => console.error("Logout Error:", error));
here is the code snipt
I'm using traefik as forward proxy and solved this issue by setting the Content-Security-Policy Header of authentik:
traefik.http.middlewares.contentsec.headers.contentsecuritypolicy=frame-ancestors 'self' https://<URL to application>;
Documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
