Giters

ory / oathkeeper

A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.

Home Page:https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=hydra

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Regression: CORS is not handled properly

marcinfigiel opened this issue · comments

commented

Preflight checklist

Describe the bug

Version 0.40.0 introduced a regression in CORS handling by the decisions API. Up to v0.39.4 it worked flawlessly, now it's broken.

The regression was introduced by #999 - this line to be exact. It adds the CORS handler after the DecisionHandler.
After this change the CORS preflight requests (OPTIONS) are intercepted and authenticated by the DecisionHandler which always fail, because browsers don't attach the authentication data to the preflight requests.

Reproducing the bug

  1. Run Oathkeeper with the API configuration as attached below
  2. Make Oathkeeper decisions API available under localhost:4456
  3. Execute the following curl:
curl -i 'http://localhost:4456/decisions/some/api/endpoint \
  -X 'OPTIONS' \
  -H 'Accept: */*' \
  -H 'Accept-Language: en-US,en;q=0.9,pl;q=0.8' \
  -H 'Access-Control-Request-Headers: site' \
  -H 'Access-Control-Request-Method: GET' \
  -H 'Connection: keep-alive' \
  -H 'Origin: http://localhost:5000' \
  -H 'Referer: http://localhost:5000/' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-site' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36'

Expected response (copied from v0.39.4):

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Site
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: http://localhost:5000
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Date: Tue, 24 Jan 2023 14:13:33 GMT
Content-Length: 0

Actual response (copied from v0.40.1):

HTTP/1.1 401 Unauthorized
Content-Type: application/json
Date: Tue, 24 Jan 2023 14:16:16 GMT
Content-Length: 95

{"error":{"code":401,"status":"Unauthorized","message":"The request could not be authorized"}}

Relevant log output

No response

Relevant configuration

serve:
  api:
    cors:
      allow_credentials: true
      allowed_headers:
      - Cookie
      - Content-Type
      - Site
      allowed_methods:
      - GET
      - PUT
      - POST
      - PATCH
      - DELETE
      allowed_origins:
      - http://localhost:5000
      debug: false
      enabled: true
      exposed_headers:
      - Access-Control-Allow-Origin
      - Access-Control-Allow-Method
      - Access-Control-Allow-Headers
      - Access-Control-Allow-Credentials
    port: 4456

Version

0.40.1

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response