CORS Not working as expected

[bensont1]

Describe the bug
With CORS enabled, the proxy does not seem to return the correct headers.

To Reproduce
Steps to reproduce the behavior:
Enable CORS in config
Set CORS_ALLOWED_ORIGINS="*"
Make request to through Oathproxy

Expected behavior
Response from Proxy to return single Access-Control-Allow-Origin header

Screenshots

Version:

• Environment: Docker
• Version: v0.14.2_oryOS.10

Additional context
Also, setting the origin explicitly in CORS_ALLOWED_ORIGINS results in similar error, Access-Control-Allow-Origin is set twice in the response.

[aeneasr]

Pretty sure CORS_ALLOWED_ORIGINS="*" should be without quotes. Can you show the full config please?

[bensont1]

I have tried setting the proxy to * for allowed origins, but in Chrome, it still showing two headers, one is * and the other is the originating URL, seems to be echoed in the response.

On start of oathkeeper-proxy this is the output

time="2019-01-13T22:44:07Z" level=info msg="Authenticator \"oauth2_introspection\" was configured and enabled successfully."
time="2019-01-13T22:44:07Z" level=warning msg="Authenticator \"oauth2_client_credentials\" is not configured and thus disabled."
time="2019-01-13T22:44:07Z" level=warning msg="Authenticator \"jwt\" is not configured and thus disabled."
time="2019-01-13T22:44:07Z" level=info msg="Listening on https://:4455.\n"

When the request is made, this is logs from oathkeeper-proxy

[cors] 2019/01/13 23:01:17 Handler: Preflight request
[cors] 2019/01/13 23:01:17   Preflight response headers: map[Vary:[Origin Access-Control-Request-Method Access-Control-Request-Headers] Access-Control-Allow-Origin:[*] Access-Control-Allow-Methods:[GET] Access-Control-Allow-Headers:[Authorization]]
[cors] 2019/01/13 23:01:18 Handler: Actual request
time="2019-01-13T23:01:18Z" level=info msg="started handling request" method=GET remote="10.2.151.2:57784" request=/member
[cors] 2019/01/13 23:01:18   Actual response added headers: map[Vary:[Origin] Access-Control-Allow-Origin:[*]]
time="2019-01-13T23:01:18Z" level=warning msg="Access request granted" access_url="https://*******/member" granted=true
time="2019-01-13T23:01:18Z" level=info msg="completed handling request" measure#oathkeeper-proxy.latency=40341435 method=GET remote="10.2.151.2:57784" request=/member status=200 text_status=OK took=40.341435ms

And finally these are the configuration environment variables passed on docker launch

"Env": [
                "CREDENTIALS_ISSUER_ID_TOKEN_HS256_SECRET=**********",
                "AUTHENTICATOR_OAUTH2_INTROSPECTION_URL=https://**********/oauth2/introspect",
                "HTTPS_TLS_KEY_PATH=/certs/key.pem",
                "CORS_ENABLED=true",
                "CORS_DEBUG=true",
                "CORS_ALLOWED_CREDENTIALS=false",
                "OATHKEEPER_API_URL=https://**********:4456",
                "PORT=4455",
                "AUTHORIZER_KETO_URL=https://**********:4466",
                "HTTPS_TLS_CERT_PATH=/certs/cert.pem",
                "CORS_ALLOWED_ORIGINS=*",
                "CORS_ALLOWED_HEADERS=Authorization,Accept,Accept-Language,Content-Language,Content-Type",
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
            ],

[bensont1]

@aeneasr I triple checked my system, and it looks like our Go server was spitting out CORS headers as well, which explains why I was seeing multiple headers. Sorry for the confusion.