pomerium: `Access-Control-Allow-Origin` error on authenticate service
What happened?
I’m experimenting a strange and problematic situation, I suppose it is since v0.5.0 because I’ve never seen that before.
At first it seemed similar to #390 but this one is about the pomerium service not answering CORS correctly.
Basically what happens is something like this:
- An SPA is making XHR calls without problems (with the
X-Requested-Withheader) - at one point, one of the request is considered as needing reauth by the proxy
- so the proxy returns a redirect response toward the authenticate service
- the browser tries to validate this can be done with OPTIONS
- we get the following error in the browser:
Access to XMLHttpRequest at 'https://auth.example.com/.pomerium/sign_in?redirect_uri=https%3A%2F%2Fapp.example.com%2Fapi%stuff%2F10&sig=nSjPGT0tgnrsizrhZnWZZ0WvYSI_Zyy0UaMXkY-vdtg%3D&ts=1574843825' (redirected from 'https://app.example.com/api/stuff/10') from origin 'https://app.example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
What did you expect to happen?
It seems to me that it is authenticate that does not answer CORS requests while I think it should.
## Environment
- Pomerium version (retrieve with
pomerium --versionor/pingendpoint): v0.5.0 - Server Operating System/Architecture/Cloud: AKS
What did you see in the logs?
The logs are not very clear about what happens
authenticate
{
"level": "info",
"fwd_ip": [
"86.234.73.194"
],
"ip": "10.242.1.28",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:70.0) Gecko/20100101 Firefox/70.0",
"referer": "https://app.example.com/optimize/stuff/10",
"req_id": "08388fd6-6fcb-99e4-075a-12f4c86c4189",
"error": "internal/sessions: session is not found",
"time": "2019-11-27T08:32:05Z",
"message": "authenticate: verify session"
}
{
"level": "debug",
"fwd_ip": [
"86.234.73.194"
],
"ip": "10.242.1.28",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:70.0) Gecko/20100101 Firefox/70.0",
"referer": "https://app.example.com/optimize/stuff/10",
"req_id": "08388fd6-6fcb-99e4-075a-12f4c86c4189",
"duration": 0.227797,
"size": 841,
"status": 302,
"email": "",
"group": "",
"method": "GET",
"service": "authenticate",
"host": "auth.example.com",
"path": "/.pomerium/sign_in?redirect_uri=https%3A%2F%2Fapp.example.com%2Fapi%2Fstuffs%2F10&sig=oMLbIJX2xjMf2-YkzmZgCrdDYBJSSR5IDdxv7blDN_o%3D&ts=1574843525",
"time": "2019-11-27T08: 32: 05Z",
"message": "http-request"
}
{
"level": "debug",
"fwd_ip": [
"109.220.184.108"
],
"ip": "10.242.0.22",
"user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0",
"referer": "https://app.example.com/optimize/stuff/10",
"req_id": "54dd9be1-43d9-65c4-16b6-f7ab64ba348e",
"duration": 0.308897,
"size": 0,
"status": 200,
"email": "",
"group": "",
"method": "OPTIONS",
"service": "authenticate",
"host": "auth.example.com",
"path": "/.pomerium/sign_in?redirect_uri=https%3A%2F%2Fapp.example.com%2Fapi%2Fstuffs%2F10&sig=1bga3DYmFYiNUea7g_Fk4uTkeic7G34dOeWlt9eJWAM%3D&ts=1574843638",
"time": "2019-11-27T08: 33: 58Z",
"message": "http-request"
}
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 20 (10 by maintainers)
Good!
Perhaps there was another error, unrelated to refresh. That could also result in a redirect.
I’m going to close this for now then. If anything regresses, lmk.
Unfortunately, I think there is more going on here than I initially realized. I’m working hard to solve this entire class of issue (SPA problems when trying to do a session refresh without breaking the app).
Stay tuned. 😃