nginx-ldap-auth icon indicating copy to clipboard operation
nginx-ldap-auth copied to clipboard

Published 20 hours ago verified publisher icon tiagoapimenta

OPTIONS requests

Open Timer opened this issue 6 years ago • 4 comments

Http OPTIONS requests typically skip authorization because credentials are always omitted in CORS requests -- is there a way we can configure this behavior?

Motivation:

I have two apps, calls.example.com and calls-api.example.com and am trying to share credentials between them. Calls from the web to api fail on OPTIONS requests because auth is required, but not permitted per the specification.

Timer avatar Nov 19 '18 21:11 Timer

Unfortunately there is anything could be done on this application, if there is some configuration it should be done on nginx itself, in order to test authentication on this application on receiving a OPTIONS request.

tiagoapimenta avatar Nov 19 '18 21:11 tiagoapimenta

Sorry, I misunderstood your question, what you need is a conditional auth test, right? For now I recommend you make it on nginx, I believe there is a match you can perform on the request, but it is true that a future version will allow it:

https://github.com/tiagoapimenta/nginx-ldap-auth/blob/next/config.sample.yaml History: https://github.com/tiagoapimenta/nginx-ldap-auth/blob/8c94852/config.sample.yaml

tiagoapimenta avatar Nov 19 '18 22:11 tiagoapimenta

But have said that, it will only allow you to configure different authentication rules depending on some headers, and it is planned a special rule called allowAnonymous that may be what you need.

tiagoapimenta avatar Nov 19 '18 22:11 tiagoapimenta

what you need is a conditional auth test, right

Yes, based on HTTP header. This sounds like what I need.

Timer avatar Nov 20 '18 01:11 Timer