Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth2 provider and CORS #25464

Closed
acquleo opened this issue Jun 23, 2023 · 4 comments · Fixed by #25974
Closed

OAuth2 provider and CORS #25464

acquleo opened this issue Jun 23, 2023 · 4 comments · Fixed by #25974
Labels
type/bug

Comments

@acquleo
Copy link

acquleo commented Jun 23, 2023

Description

I'm trying to integrate gitea OpenId Connect authentication from another website.
I have configured the following cors parameters:
[cors]
ENABLED = true
ALLOW_DOMAIN = *
ALLOW_CREDENTIALS = true

It look like CORS is working on API, so if I try to call /packages/{owner}?, the browser includes the header Origin in the request and gitea response includes :
Access-Control-Allow-Origin: *

than if I try to use Oauth2 provider authentication the gitea response doesn't include Access-Control-Allow-Origin generating the following cors error:

Access to XMLHttpRequest at 'http://:3000/.well-known/openid-configuration' from origin 'http://:8085' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

how can I fix this?

Thanks

Gitea Version

1.19.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

Ubuntu 22.04.2 LTS

How are you running Gitea?

I'm running GITEA as stack on docker swarm node.
image: gitea/gitea:1.19.3
image: postgres:11-alpine

Database

PostgreSQL
@acquleo
Copy link
Author

acquleo commented Jun 23, 2023

added wireshark trace
https://drive.google.com/file/d/1xpmX0k0MHbEcz_MOQZn4GimcX-esPNUO/view?usp=sharing

@silverwind
Copy link
Member

OAuth to my knowledge does not require CORS. What are you trying to do?

@acquleo
Copy link
Author

acquleo commented Jun 23, 2023
edited

I'm trying to delegate user Oauth2 authentication to gitea from another website and get a token session to be used to call gitea API.
In details

  • user open custom_website
  • click in login button
  • custom_website navigate to Outh2 authentication page of gitea
  • user put credentials in gitea
  • gitea redirect the login page to custom_website passing the user access token
  • custom_website uses the access token to call gitea API

@wxiaoguang
Copy link
Contributor

It's not documented, but the CORS only applies to these handlers:

image

@wxiaoguang wxiaoguang mentioned this issue Jul 19, 2023
Merged
silverwind added a commit that referenced this issue Jul 21, 2023
@wxiaoguang @silverwind @GiteaBot
Serve pre-defined files in "public", add "security.txt", add CORS hea…
52fb936 
…der for ".well-known" (#25974)

Replace #25892

Close  #21942
Close  #25464

Major changes:

1. Serve "robots.txt" and ".well-known/security.txt" in the "public"
custom path
* All files in "public/.well-known" can be served, just like
"public/assets"
3. Add a test for ".well-known/security.txt"
4. Simplify the "FileHandlerFunc" logic, now the paths are consistent so
the code can be simpler
5. Add CORS header for ".well-known" endpoints
6. Add logs to tell users they should move some of their legacy custom
public files

```
2023/07/19 13:00:37 cmd/web.go:178:serveInstalled() [E] Found legacy public asset "img" in CustomPath. Please move it to /work/gitea/custom/public/assets/img
2023/07/19 13:00:37 cmd/web.go:182:serveInstalled() [E] Found legacy public asset "robots.txt" in CustomPath. Please move it to /work/gitea/custom/public/robots.txt
```
This PR is not breaking.

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Giteabot <teabot@gitea.io>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 5, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
3 participants
@silverwind @wxiaoguang @acquleo