Oathkeeper behind ingress-nginx CORS problem #663

PeteMac88 · 2021-03-15T11:40:51Z

PeteMac88
Mar 15, 2021

Hey there,
I am running oathkeeper as a external auth server behind an ingress-nginx in a k8s cluster and I have some problems with the CORS settings. I am using the auth-url annotation to call the decision API.

The Problem I am facing is that the preflight OPTION requests are answered with 401 and therefore the following GET request is not made. I enabled cors for the oathkeeper API over the configuration with wildcard alllow_origins but still get the same error. I observed over the logs that for each OPTIONS request the oathkeeper logs show following entry (removed real uris):

[cors] 2021/03/15 11:26:46 Handler: Actual request
[cors] 2021/03/15 11:26:46   Actual response added headers: map[Access-Control-Allow-Origin:[https://test.de] Access-Control-Expose-Headers:[Content-Type] Vary:[Origin]]
{"http_request":{"headers":{"accept":"*/*","accept-encoding":"gzip, deflate, br","accept-language":"de-DE,de;q=0.9","origin":"https://test.de","referer":"https://test.de/","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36","x-forwarded-for":"10.1.2.180","x-request-id":"94113777ed38863ca6244bb4d226eadf"},"host":"oathkeeper-api.auth.svc.cluster.local","method":"GET","path":"/decisions/apis/test/graphql","query":null,"remote":"10.1.3.146:52814","scheme":"http"},"level":"info","msg":"started handling request","time":"2021-03-15T11:26:46Z"}
{"audience":"application","error":{"debug":"","message":"Access credentials are invalid","reason":"","status":"Unauthorized","status_code":401},"granted":false,"http_host":"oathkeeper-api.auth.svc.cluster.local","http_method":"GET","http_url":"http://oathkeeper-api.auth.svc.cluster.local/apis/test/graphql","http_user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36","level":"warning","msg":"No authentication handler was responsible for handling the authentication request","reason_id":"authentication_handler_no_match","rule_id":"test","service_name":"ORY Oathkeeper","service_version":"v0.38.5-beta.1","time":"2021-03-15T11:26:46Z"}

So I think what happens is that nginx is doing a GET request to oathkeeper for the preflight request which is unauthorized because of the missing authorizatiob header. As far as I understand its ok for preflight request to not have a auth header. Do you dealt with this issue before and have a recommendation here? We could enable CORS on the nginx level but I was wondering if there is another solution?