Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Teleport App to App CORS error #50456

Open
JoeSpiral opened this issue Dec 19, 2024 · 2 comments
Open

Teleport App to App CORS error #50456

JoeSpiral opened this issue Dec 19, 2024 · 2 comments

Comments

@JoeSpiral
Copy link

Expected behavior:
Teleport would proxy requests from one app to another without CORS error.

Current behavior:
Currently we are getting the following CORS error:

Access to fetch at 'https://test-auth.teleport.test.us/v2/test/auth' from origin 'https://test.teleport.test.us' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Bug details:

  • Teleport version: 17.0.5

  • Recreation steps
    Hitting the test app hits an AWS Amplify endpoint and works without issue. This then produces a login page. The actual authentication hits the test-auth app which redirects to a backend service that does SAML auth. It never gets that far. The browser kills it with the error above. Preflight does work though. I have no issues turning off CORS for these apps if possible and the easiest way forward.

  • Config

version: v3
teleport:
  nodename: test.test.com
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  cluster_name: teleport.test.com
  proxy_listener_mode: multiplex
ssh_service:
  enabled: "yes"
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
proxy_service:
  enabled: "yes"
  web_listen_addr: 0.0.0.0:443
  public_addr: teleport.test.com:443
  https_keypairs: []
  https_keypairs_reload_interval: 0s
  acme:
    enabled: "yes"
    email: xxx

app_service:
  enabled: "yes"
  apps:
  - name: "test"
    uri: "https://test-secure.test.com"
    public_addr: "test.teleport.test.com"
    required_apps:
      - 'test-auth'
    cors:
      allowed_origins:
        - '*'
      allowed_methods:
        - 'GET'
        - 'POST'
        - 'PUT'
        - 'DELETE'
        - 'OPTIONS'
      allowed_headers:
        - 'Content-Type'
        - 'Authorization'
        - 'X-Custom-Header'
        - 'Access-Control-Allow-Origin'
      exposed_headers:
        - 'Content-Type'
        - 'X-Custom-Response-Header'
        - 'Authorization'
        - 'X-Custom-Header'
        - 'Access-Control-Allow-Origin'
      allow_credentials: true
  - name: "test-auth"
    uri: "https://test-auth.test.com"
    public_addr: "test-auth.teleport.test.com"
    rewrite:
      headers:
      - 'Origin: https://test-auth.teleport.test.com'
      - 'Host: test-auth.teleport.test.com'
      redirect:
      - 'test-auth.test.com'
    cors:
      allowed_origins:
        - 'https://test-auth.teleport.test.com'
        - 'https://test.teleport.test.com'
        - 'https://teleport.test.com'
      allowed_methods:
        - 'GET'
        - 'POST'
        - 'PUT'
        - 'DELETE'
        - 'OPTIONS'
      allowed_headers:
        - 'Content-Type'
        - 'Authorization'
        - 'X-Custom-Header'
        - 'Access-Control-Allow-Origin'
      exposed_headers:
        - 'Content-Type'
        - 'X-Custom-Response-Header'
        - 'Authorization'
        - 'X-Custom-Header'
        - 'Access-Control-Allow-Origin'
      allow_credentials: true
@zmb3
Copy link
Collaborator

zmb3 commented Dec 19, 2024

The actual authentication hits the test-auth app which redirects to a backend service that does SAML auth. It never gets that far. The browser kills it with the error above.

It looks like you've correctly configured allowed_origins for the test-auth app. Can you share the response to the preflight request? Is the Access-Control-Allow-Origin header present?

@JoeSpiral
Copy link
Author

JoeSpiral commented Dec 19, 2024

Thanks for looking here are the responses to the preflight:

General:

Request URL:
https://test-auth.teleport.test.com/v2/test/auth
Request Method:
OPTIONS
Status Code:
200 OK
Remote Address:
2.23.254.175:443
Referrer Policy:
strict-origin-when-cross-origin

Response Headers:

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type,Authorization,X-Custom-Header,Access-Control-Allow-Origin
Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS
Access-Control-Allow-Origin: https://test.teleport.test.com
Date: Thu, 19 Dec 2024 21:24:07 GMT
Content-Length: 0

Request Headers

OPTIONS /v2/test/auth HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-com,en;q=0.9
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Connection: keep-alive
Host: test-auth.teleport.test.com
Origin: https://test.teleport.test.com
Referer: https://test.teleport.test.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants