authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

OAuth CORS does not take into account RegEx

Open fayalalebrun opened this issue 2 years ago • 8 comments

Describe the bug CORS rules are specified in the same field as redirect URLs. However, in contrast to redirect urls, CORS requests do not seem to use any form of RegEx.

https://github.com/goauthentik/authentik/blob/350f0d836580f4411524614f361a76c4f27b8a2d/authentik/providers/oauth2/utils.py#L44 In this line the URL is parsed and shortly afterwards compared directly to any of the passed rules. This function does not take any regex into account.

To Reproduce Steps to reproduce the behavior:

  1. Go to 'Providers'
  2. Create an OAuth Provider
  3. Specify ".*" in the Redirect URIs field
  4. Perform a request to the application/o/<slug>/.well-known/openid-configuration endpoint.
  5. The CORS headers in the response will be missing.

Expected behavior CORS allowed origins respect the same RegEx rules as redirect URLs.

Logs

server_1       | {"allowed": [".+", "http://.*"], "event": "CORS: Origin is not an allowed origin", "host": "authentik.redacted.io", "level": "warning", "logger": "authentik.providers.oauth2.utils", "pid": 23, "request_id": "7197b556022548e1849a1814014b355f", "requested": ["http", "localhost:3000", "", "", "", ""], "timestamp": "2022-06-13T17:15:51.891612"}

Version and Deployment (please complete the following information):

  • authentik version: 2022.6.2
  • Deployment: docker-compose

Additional context I would like to accept CORS requests from a range of subdomains. Possible workarounds are appreciated.

fayalalebrun avatar Jun 13 '22 17:06 fayalalebrun

just FYI this would've also been broken with the old system of allowing "*" as redirect_uri

BeryJu avatar Jun 14 '22 10:06 BeryJu

Hey! I'm hosting authentik being a reverse proxy (nginx) and my application is unable to access the openid-configuration because authentik is raising a CORS error. I tried putting * as the redirect_uri and also tried using the URL of my application. The CORS error persists in both cases. If there any fix / workaround for this?

codingCoffee avatar Jun 07 '23 04:06 codingCoffee

I am also having this issue. Tried * .* and .+

skiwheelr avatar Aug 01 '23 13:08 skiwheelr

What's the workaround?

rafalkrupinski avatar Aug 29 '23 10:08 rafalkrupinski

any update?

masfaraud avatar Oct 05 '23 09:10 masfaraud

@BeryJu; this issue was marked as bug/confirmed since the middle of 2022, any news?

The help text when creating / editing the provider doesn't really make it clear that you need to use different formats for the "Redirect URIs" and "Origins" even though they are in the same input box, nor explicitly mention that the suggested wildcard solution will not work for CORS.

image

Granted, we are running version 2023.10.7, so there might have been an update to this issue after that.

fooware avatar Mar 12 '24 22:03 fooware