CORS for isAjax requests

[POD666]

I have a SPA that is running separately from API webserver:
SPA -> oauth2-proxy -> API webserver

When OAUTH2_PROXY_COOKIE_REFRESH cookie expires, SPA gets 401 in response but without CORS headers and so blocked by a browser.

Expected Behavior

401 Response can be handled

Current Behavior

401 Response is blocked by a browser because of CORS:

Access to XMLHttpRequest at 'http://localhost:4180/api/v1/features' from origin 'http://localhost:7777' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Where http://localhost:7777 is my SPA.

Possible Solution

Following changes here work for me:

// ErrorJSON returns the error code with an application/json mime type
func (p *OAuthProxy) ErrorJSON(req *http.Request, rw http.ResponseWriter, code int) {
	rw.Header().Set("Content-Type", applicationJSON)
	origin := req.Header.Get("Origin")
	if origin != "" {
		rw.Header().Set("Access-Control-Allow-Origin", origin)
		rw.Header().Set("Access-Control-Allow-Credentials", "true")
	}
	rw.WriteHeader(code)
}

Is it good enough to prepare PR? Is there a better solution/workaround?

[NickMeves]

Is this potentially resolved by better handling of the token refresh process? We've identified a need to allow the refresh to happen before an access token is expired (ie at 90% of the lifespan) so you don't get these boundary 401 errors.

We've also discussed the stampede issue that comes with this refresh process here too: #667

[POD666]

I'm not handling any tokens in SPA, just sending requests with cookies to my API and popup login page on 401. So all I want is a response not to be blocked by a browser - the CORS issue.

What exactly do you propose for handling of tokens?

[NickMeves]

I was thinking we don't wait for the 401 to hit the client -- we allow sessions to automatically refresh the access tokens via the refresh token before they expire while they are still alive.

Or is this more an issue with the whole session expiring (not the refresh timer) -- and getting a 401 back triggering a re-auth? In that case, I'll need to think more about CORS

[POD666]

Yeah, this is more about the whole session expiring. I think I will add something to continuously refresh user sessions but until then I need to be able to handle 401. And even after, I guess 401 errors may occur in different scenarios, no?

[POD666]

I have tried to perform an auth check before API calls by using /oauth2/auth endpoint but it also fails with the CORS issue.

[POD666]

Moving forward, I got the same issue with /oauth2/sign_out endpoint (fixed as earlier):

Access to XMLHttpRequest at 
'http://keycloak:8081/auth/realms/master/protocol/openid-connect/logout?post_logout_redirect_uri=http://localhost:4180/app/' 
(redirected from 'http://localhost:4180/oauth2/sign_out?rd=http%3A%2F%2Fkeycloak%3A8081%2Fauth%2Frealms%2Fmaster%2Fprotocol%2Fopenid-connect%2Flogout%3Fpost_logout_redirect_uri%3Dhttp%3A%2F%2Flocalhost%3A4180%2Fapp%2F') 
from origin 'http://localhost:4180' has been blocked by CORS policy: 
Response to preflight request doesn't pass access control check: 
No 'Access-Control-Allow-Origin' header is present on the requested resource.

Also, it's a bit confusing that my js app needs to know what to set for the rd parameter, I would prefer oauth2-proxy to extract it from the OIDC provider metadata (ref). Or at least be configurable like LoginURL and RedeemURL. Does it sound like something worth opening a feature request? 🙂

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[J3m5]

How did you solved this issue @POD666 ?

[POD666]

@J3m5 just forked this repo with all the fixes I mentioned before. But after all, we decided not to use oauth2-proxy for now.

Here is `git diff` but obviously it's not production ready

diff --git a/oauthproxy.go b/oauthproxy.go
index d5e7184..ae982f9 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -546,10 +546,17 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error)
 		return
 	}
 
-	redirect = req.Header.Get("X-Auth-Request-Redirect")
-	if req.Form.Get("rd") != "" {
+	if req.Form.Get("end_session_url") == "true" {
+		redirect = p.provider.Data().EndSessionEndpoint.String()
+		if req.Form.Get("rd") != "" {
+			redirect = redirect + "?post_logout_redirect_uri=" + req.Form.Get("rd")
+		}
+	} else if req.Form.Get("rd") != "" {
 		redirect = req.Form.Get("rd")
+	} else {
+		redirect = req.Header.Get("X-Auth-Request-Redirect")
 	}
+
 	if !p.IsValidRedirect(redirect) {
 		redirect = req.URL.Path
 		if strings.HasPrefix(redirect, p.ProxyPrefix) {
@@ -751,6 +758,11 @@ func (p *OAuthProxy) SignOut(rw http.ResponseWriter, req *http.Request) {
 		return
 	}
 	p.ClearSessionCookie(rw, req)
+	origin := req.Header.Get("Origin")
+	if origin != "" {
+		rw.Header().Set("Access-Control-Allow-Origin", origin)
+		rw.Header().Set("Access-Control-Allow-Credentials", "true")
+	}
 	http.Redirect(rw, req, redirect, http.StatusFound)
 }
 
@@ -771,6 +783,11 @@ func (p *OAuthProxy) OAuthStart(rw http.ResponseWriter, req *http.Request) {
 		return
 	}
 	redirectURI := p.GetRedirectURI(req.Host)
+	origin := req.Header.Get("Origin")
+	if origin != "" {
+		rw.Header().Set("Access-Control-Allow-Origin", origin)
+		rw.Header().Set("Access-Control-Allow-Credentials", "true")
+	}
 	http.Redirect(rw, req, p.provider.GetLoginURL(redirectURI, fmt.Sprintf("%v:%v", nonce, redirect)), http.StatusFound)
 }
 
@@ -845,12 +862,17 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
 func (p *OAuthProxy) AuthenticateOnly(rw http.ResponseWriter, req *http.Request) {
 	session, err := p.getAuthenticatedSession(rw, req)
 	if err != nil {
-		http.Error(rw, "unauthorized request", http.StatusUnauthorized)
+		p.ErrorJSON(req, rw, http.StatusUnauthorized)
 		return
 	}
 
 	// we are authenticated
 	p.addHeadersForProxying(rw, req, session)
+	origin := req.Header.Get("Origin")
+	if origin != "" {
+		rw.Header().Set("Access-Control-Allow-Origin", origin)
+		rw.Header().Set("Access-Control-Allow-Credentials", "true")
+	}
 	rw.WriteHeader(http.StatusAccepted)
 }
 
@@ -868,7 +890,7 @@ func (p *OAuthProxy) Proxy(rw http.ResponseWriter, req *http.Request) {
 		// we need to send the user to a login screen
 		if isAjax(req) {
 			// no point redirecting an AJAX request
-			p.ErrorJSON(rw, http.StatusUnauthorized)
+			p.ErrorJSON(req, rw, http.StatusUnauthorized)
 			return
 		}
 
@@ -1128,8 +1150,13 @@ func isAjax(req *http.Request) bool {
 }
 
 // ErrorJSON returns the error code with an application/json mime type
-func (p *OAuthProxy) ErrorJSON(rw http.ResponseWriter, code int) {
+func (p *OAuthProxy) ErrorJSON(req *http.Request, rw http.ResponseWriter, code int) {
 	rw.Header().Set("Content-Type", applicationJSON)
+	origin := req.Header.Get("Origin")
+	if origin != "" {
+		rw.Header().Set("Access-Control-Allow-Origin", origin)
+		rw.Header().Set("Access-Control-Allow-Credentials", "true")
+	}
 	rw.WriteHeader(code)
 }
 
diff --git a/pkg/apis/options/options.go b/pkg/apis/options/options.go
index ff9b1ca..61f1626 100644
--- a/pkg/apis/options/options.go
+++ b/pkg/apis/options/options.go
@@ -95,6 +95,7 @@ type Options struct {
 	OIDCJwksURL                        string `flag:"oidc-jwks-url" cfg:"oidc_jwks_url"`
 	LoginURL                           string `flag:"login-url" cfg:"login_url"`
 	RedeemURL                          string `flag:"redeem-url" cfg:"redeem_url"`
+	EndSessionEndpoint                 string `flag:"end-session-endpoint" cfg:"end_session_endpoint"`
 	ProfileURL                         string `flag:"profile-url" cfg:"profile_url"`
 	ProtectedResource                  string `flag:"resource" cfg:"resource"`
 	ValidateURL                        string `flag:"validate-url" cfg:"validate_url"`
@@ -278,6 +279,7 @@ func NewFlagSet() *pflag.FlagSet {
 	flagSet.String("oidc-jwks-url", "", "OpenID Connect JWKS URL (ie: https://www.googleapis.com/oauth2/v3/certs)")
 	flagSet.String("login-url", "", "Authentication endpoint")
 	flagSet.String("redeem-url", "", "Token redemption endpoint")
+	flagSet.String("end-session-endpoint", "", "End session endpoint, use the one obtained from the main OIDC provider by default")
 	flagSet.String("profile-url", "", "Profile access endpoint")
 	flagSet.String("resource", "", "The resource that is protected (Azure AD only)")
 	flagSet.String("validate-url", "", "Access token validation endpoint")
diff --git a/pkg/validation/options.go b/pkg/validation/options.go
index 44a3e75..8decbbc 100644
--- a/pkg/validation/options.go
+++ b/pkg/validation/options.go
@@ -122,8 +122,8 @@ func Validate(o *options.Options) error {
 						o.OIDCJwksURL = body.Get("jwks_uri").MustString()
 					}
 
-					if o.ProfileURL == "" {
-						o.ProfileURL = body.Get("userinfo_endpoint").MustString()
+					if o.EndSessionEndpoint == "" {
+						o.EndSessionEndpoint = body.Get("end_session_endpoint").MustString()
 					}
 
 					o.SkipOIDCDiscovery = true
@@ -294,6 +294,7 @@ func parseProviderInfo(o *options.Options, msgs []string) []string {
 	}
 	p.LoginURL, msgs = parseURL(o.LoginURL, "login", msgs)
 	p.RedeemURL, msgs = parseURL(o.RedeemURL, "redeem", msgs)
+	p.EndSessionEndpoint, msgs = parseURL(o.EndSessionEndpoint, "end_session_endpoint", msgs)
 	p.ProfileURL, msgs = parseURL(o.ProfileURL, "profile", msgs)
 	p.ValidateURL, msgs = parseURL(o.ValidateURL, "validate", msgs)
 	p.ProtectedResource, msgs = parseURL(o.ProtectedResource, "resource", msgs)
diff --git a/providers/provider_data.go b/providers/provider_data.go
index de5bc0d..012977e 100644
--- a/providers/provider_data.go
+++ b/providers/provider_data.go
@@ -11,12 +11,13 @@ import (
 // ProviderData contains information required to configure all implementations
 // of OAuth2 providers
 type ProviderData struct {
-	ProviderName      string
-	LoginURL          *url.URL
-	RedeemURL         *url.URL
-	ProfileURL        *url.URL
-	ProtectedResource *url.URL
-	ValidateURL       *url.URL
+	ProviderName       string
+	LoginURL           *url.URL
+	RedeemURL          *url.URL
+	EndSessionEndpoint *url.URL
+	ProfileURL         *url.URL
+	ProtectedResource  *url.URL
+	ValidateURL        *url.URL
 	// Auth request params & related, see
 	//https://openid.net/specs/openid-connect-basic-1_0.html#rfc.section.2.1.1.1
 	AcrValues        string

Here is the planned architecture

Hope it was helpful 🙂

[phllpmcphrsn]

@POD666 did you wind up rolling with your own solution or did you find another proxy?

[POD666]

@phllpmcphrsn we end up with direct communication to an auth backend, so no need for any proxy in our case.

Anyway would be nice if oauth2-proxy adds support for such cases.