ingress-nginx: CORS Headers missing when using auth-url and auth-signin with Oauth2-Proxy

What happened: I have added the following annotations in my Ingress definition

nginx.ingress.kubernetes.io/auth-url: "https://api-auth.xyz.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://api-auth.xyz.com/oauth2/start?rd=$scheme://$best_http_host$request_uri"

with the host configured as api.xyz.com and the OIDC issuers being keycloak

On doing a curl to https://api.xyz.com/api/v1/onboard/getAssociatedOrganization here is the response I have gotten from NGINX which does not include any kind of CORS-specific headers

* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fc205013600)
> GET /api/v1/onboard/getAssociatedOrganization HTTP/2
> Host: api.xyz.com
> user-agent: curl/7.79.1
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 302
< date: Tue, 05 Jul 2022 21:16:50 GMT
< content-type: text/html
< content-length: 138
< location: https://api-auth.xyz.com/oauth2/start?rd=http://api.xyz.com/api/v1/onboard/getAssociatedOrganization
<
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

This is causing issues in the browser since on getting the 302 from NGINX due to the auth-signin annotation I start getting CORS errors

Access to XMLHttpRequest at 'https://api.xyz.com/api/v1/onboard/getAssociatedOrganization' from origin 'https://app.xyz.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I have tried the following annotation to enable CORS headers in the 302 response but to no avail

nginx.ingress.kubernetes.io/cors-allow-credentials: "false"
nginx.ingress.kubernetes.io/cors-allow-methods: PUT, GET, POST, OPTIONS
nginx.ingress.kubernetes.io/enable-cors: "true"

What you expected to happen:

I expect the 302 request being generated by NGINX for auth-signin to have CORS headers present in them so that get not get blocked by the browser. Any help/suggestions would be appreciated

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.2", GitCommit:"f66044f4361b9f1f96f0053dd46cb7dce5e990a8", GitTreeState:"clean", BuildDate:"2022-06-15T14:14:10Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"darwin/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"22+", GitVersion:"v1.22.9-eks-a64ea69", GitCommit:"540410f9a2e24b7a2a870ebfacb3212744b5f878", GitTreeState:"clean", BuildDate:"2022-05-12T19:15:31Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"}

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 5
Comments: 29 (20 by maintainers)

Most upvoted comments

Hi @longwuyuan Checked the generated nginx.conf and found the location block generated for redirect of auth-sign URL

location @8638240922c3aa074994ed6194c30efb21bab86e {
                        internal;

                        add_header Set-Cookie $auth_cookie;

                        return 302 https://api-auth.xyz.com/oauth2/start?rd=$scheme://$best_http_host$request_uri;
                }

Inside this block even the CORS header set in parent request are not retained. Should we also add template which generate code to add headers related to CORS also inside the above block generation in nginx.tmpl?

harry1064 on Jul 10, 2022

Oh, that is important insight.

Now need to get some dev time on it. Its hard as we are on freeze for features but this seems like a bug. Will update.

/area stabilization /kind bug /triage accepted

longwuyuan on Jul 7, 2022