--skip-auth-preflight not working

[sneko]

Hi,

I'm doing some AJAX calls in my web app but unfortunately the OPTIONS request that check if the request is authorized (CORS...) receive an 302 redirect HTTP error because of oauth2-proxy.

Here is the error message:

Failed to load https://.../abc/abc: Response for preflight is invalid (redirect)

So I have tried the oauth2-proxy option "--skip-auth-preflight" but it doesn't work for me :( is there any other thing to do to make it work?

Thank you!

CC: @ploxiln @idntfy #370

EDIT: To clarify, I'm using Kubernetes and its annotation

ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start"

Maybe this option to skip auth on OPTIONS requests has not been tested with Kubernetes for now?

[idntfy]

--skip-auth-preflight or -skip-auth-preflight=true? we run the latter in our system.

[sneko]

@idntfy I have tried both and none of them work :(

[idntfy]

are you sure it's not your backend who returns 302? the change doesn't do anything besides of checking that the method is OPTIONS.

[sneko]

@idntfy Yeah I'm pretty sure. Here is the response headers:

content-length:161
content-type:text/html
date:Fri, 06 Oct 2017 21:04:37 GMT
location:https://.../oauth2/sign_in?rd=/abc/abc
server:nginx/1.13.5
status:302
strict-transport-security:max-age=15724800; includeSubDomains;

[sneko]

After 4 hours of research, I didn't solve this problem :( I hope someone will have an idea :)

[sneko]

@idntfy after 1 day of research trying to debug by recompiling this lib, changing Ingress settings... just found the solution!

My Angular app was doing AJAX calls and OPTIONS requests don't include cookies so my Ingress was redirecting to the login page (so 302 code but OPTIONS is waiting 200-299 HTTP code). The idea is to send good HTTP code with CORS headers. There is an "enable-cors" Ingress annotation but the Access-Control-Allow-Origin equals '*' so the browser don't allow to send GET/POST/DELETE/PUT with cookies (we need to give just 1 specific domain). I had to make my own customization in the right annotation:
`

ingress.kubernetes.io/configuration-snippet: |
  if ($http_origin ~* "^https?://(www\.DOMAIN\.com|localhost(:[0-9]+)?)$") {
      set $cors "true";
  }

  if ($request_method = 'OPTIONS') {
      set $cors "${cors}options";
  }

  if ($cors = "true") {
      more_set_headers "Access-Control-Allow-Origin: $http_origin";
      more_set_headers "Access-Control-Allow-Credentials: true";
  }

  if ($cors = "trueoptions") {
      add_header 'Access-Control-Allow-Origin' "$http_origin";
      add_header 'Access-Control-Allow-Credentials' 'true';
      add_header 'Access-Control-Allow-Methods' 'GET,POST,PUT,DELETE,OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
      add_header 'Access-Control-Max-Age' 1728000;
      add_header 'Content-Length' 0;
      add_header 'Content-Type' 'text/plain charset=UTF-8';
      return 204;
  }`

And it works well!

(For information, in Angular HTTP, to attach cookies on any request (except OPTIONS) you need to set the parameter withCredentials to true :) )

I hope it's gonna help someone, it may seem simple but with all these things to take in account it was really tricky 😢

Have a good day 😀 !

[sneko]

@jehiah it should have been easier if oauth2_proxy accepted to manage token through cookies and a custom header.

For now there is just the cookie "_oauth2_proxy" but we could imagine to manage an header "X-OAuth2-Proxy" header if cookie is not present. Like that in any framework I just have to add this header on each HTTP request without dealing with "withCredentials + only 1 origin domain + enable CORS" 😃

EDIT: To get this token, I just have to read cookies in JavaScript