Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using gitea as OIDC provider - CORS problem #28515

Closed
morphelinho opened this issue Dec 18, 2023 · 4 comments · Fixed by #28587
Closed

Using gitea as OIDC provider - CORS problem #28515

morphelinho opened this issue Dec 18, 2023 · 4 comments · Fixed by #28587
Labels

Comments

@morphelinho
Copy link
Contributor

Description

I want to use my own hosted gitea instance as OIDC provider for a test SPA based on angular-oauth2-oidc.

Request for oidc discovery is blocked with error message:
Access to XMLHttpRequest at 'https://gitea-instance/.well-known/openid-configuration' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Enabling cors in gitea-instance via

[cors]
ENABLED = true
ALLOW_DOMAIN = *

does unblock this request but the follow up request for autodiscovery is blocked too:

Access to XMLHttpRequest at 'https://gitea-instance/login/oauth/keys' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Any help would be appreciated.

Gitea Version

Gitea version: 1.21.2 built with GNU Make 4.4.1, go1.21.5 : bindata, timetzdata, sqlite, sqlite_unlock_notify

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker image gitea/gitea:latest in self hosted bare metal kubernetes single node cluster.

Database

None

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Dec 18, 2023

Same as #28184 (comment) , the keys handler was never covered by CORS. You could try to add m.Options("/login/oauth/keys", CorsHandler(), misc.DummyBadRequest) to code and build your own binary to see whether it works well.

@morphelinho
Copy link
Contributor Author

As suggested I tested with a local build image containing the following modification in routers/web/web.go:
m.Options("/login/oauth/userinfo", CorsHandler(), misc.DummyBadRequest)
m.Options("/login/oauth/keys", CorsHandler(), misc.DummyBadRequest)
This solution fixes the problem mentioned in #28184 with

Request URL: https://gitea-instance/login/oauth/userinfo
Request Method: OPTIONS
Status Code: 405 Method Not Allowed

curl -v -X OPTIONS --header "Access-Control-Request-Method: POST" http://localhost:3000/login/oauth/access_token
* Host localhost:3000 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:3000...
* Connected to localhost (::1) port 3000
> OPTIONS /login/oauth/access_token HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/8.5.0
> Accept: */*
> Access-Control-Request-Method: POST
> 
< HTTP/1.1 200 OK
< Cache-Control: max-age=0, private, must-revalidate, no-transform
< Set-Cookie: i_like_gitea=b38d09d373f10a89; Path=/; HttpOnly; Secure; SameSite=Lax
< Set-Cookie: _csrf=FAozEmPNoyRVc9m0zMfB2zRhYLE6MTcwMzIzNDA0MTczODQ3NzU5OQ; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< X-Frame-Options: SAMEORIGIN
< Date: Fri, 22 Dec 2023 08:34:01 GMT
< Content-Length: 0
< 
* Connection #0 to host localhost left intact

Unfortunately this does not fix CORS problem Access to XMLHttpRequest at 'https://gitea-instance/login/oauth/keys' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Comparing requests from inside the docker container to /.well-known/openid-configuration (working fine with configured CORS) and /login/oauth/keys (does not work with configured CORS) reveals a slighty different behaviour in the response: a missing Vary: Origin header

gitea-657d8d55f-zsvpz:/# curl -v -X GET http://localhost:3000/.well-known/openid-configuration
Note: Unnecessary use of -X or --request, GET is already inferred.
* Host localhost:3000 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:3000...
* Connected to localhost (::1) port 3000
> GET /.well-known/openid-configuration HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Cache-Control: max-age=0, private, must-revalidate, no-transform
< Content-Type: application/json
< Set-Cookie: i_like_gitea=41703721bbe40e8f; Path=/; HttpOnly; Secure; SameSite=Lax
< Set-Cookie: _csrf=2CKS9AezAEu7Jnu5JC1shgSvWMw6MTcwMzIzNjE1MTU5NjAzNDEzNA; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax
< Vary: Origin
< X-Frame-Options: SAMEORIGIN
< Date: Fri, 22 Dec 2023 09:09:11 GMT
< Content-Length: 1202
< 
gitea-657d8d55f-zsvpz:/# curl -v -X GET http://localhost:3000/login/oauth/keys
Note: Unnecessary use of -X or --request, GET is already inferred.
* Host localhost:3000 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:3000...
* Connected to localhost (::1) port 3000
> GET /login/oauth/keys HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: max-age=0, private, must-revalidate, no-transform
< Content-Type: application/json
< Set-Cookie: i_like_gitea=8501161059fe4bca; Path=/; HttpOnly; Secure; SameSite=Lax
< Set-Cookie: _csrf=fRxN0IMo5_6nV1T7xqbsCu1Ma-w6MTcwMzIzNjE5NjM2NDMwOTY0MA; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax
< X-Frame-Options: SAMEORIGIN
< Date: Fri, 22 Dec 2023 09:09:56 GMT
< Content-Length: 804
<

According to Understanding the Importance of “Vary: Origin” to Prevent Cache Confusion and CORS Errors this might be the root cause why CORS is not working as expected.

Unfortunately i am not that deep dived enough to fix missing Vary: Origin header in /login/oauth/keys and /login/oauth/userinfo on my own and would appreciate any help.

morphelinho added a commit to morphelinho/gitea that referenced this issue Dec 22, 2023
morphelinho added a commit to morphelinho/gitea that referenced this issue Dec 22, 2023
@wxiaoguang
Copy link
Contributor

Thank you for your PR.

After #28583 gets merged, I will propose some following fixes.

wxiaoguang pushed a commit that referenced this issue Dec 22, 2023
Follow #28184
Follow #28515

Fix problem with 405 method not allowed for CORS wrt OIDC
GiteaBot pushed a commit to GiteaBot/gitea that referenced this issue Dec 22, 2023
Follow go-gitea#28184
Follow go-gitea#28515

Fix problem with 405 method not allowed for CORS wrt OIDC
lunny pushed a commit that referenced this issue Dec 22, 2023
Backport #28583 by @morphelinho

Follow #28184
Follow #28515

Fix problem with 405 method not allowed for CORS wrt OIDC

Co-authored-by: morphelinho <[email protected]>
@wxiaoguang
Copy link
Contributor

-> Refactor CORS handler #28587

techknowlogick pushed a commit to techknowlogick/gitea that referenced this issue Dec 23, 2023
Follow go-gitea#28184
Follow go-gitea#28515

Fix problem with 405 method not allowed for CORS wrt OIDC
lunny pushed a commit that referenced this issue Dec 25, 2023
The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix #28515
Fix #27642
Fix #17098
wxiaoguang added a commit to wxiaoguang/gitea that referenced this issue Dec 25, 2023
The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix go-gitea#28515
Fix go-gitea#27642
Fix go-gitea#17098
# Conflicts:
#	tests/integration/cors_test.go
wxiaoguang added a commit that referenced this issue Dec 25, 2023
Backport #28587, the only conflict is the test file.

The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix #28515
Fix #27642
Fix #17098
katsusan pushed a commit to katsusan/gitea that referenced this issue Dec 26, 2023
The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix go-gitea#28515
Fix go-gitea#27642
Fix go-gitea#17098
fuxiaohei pushed a commit to fuxiaohei/gitea that referenced this issue Jan 17, 2024
Follow go-gitea#28184
Follow go-gitea#28515

Fix problem with 405 method not allowed for CORS wrt OIDC
fuxiaohei pushed a commit to fuxiaohei/gitea that referenced this issue Jan 17, 2024
The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix go-gitea#28515
Fix go-gitea#27642
Fix go-gitea#17098
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 9, 2024
silverwind pushed a commit to silverwind/gitea that referenced this issue Feb 20, 2024
The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix go-gitea#28515
Fix go-gitea#27642
Fix go-gitea#17098
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants