WildcardOrgininNotAllowed Error behind ingress-nginx

Securing applications
1

Hi,

I’m using keycloak in k8s behind ingress-nginx reverse proxy with SSL.

I’ve done all the mentioned proxy settings on server and client side.
Also including the web-origins settings with:

The slash on plus and star is only for this topic request

But when i login to my react app, i got the CORS error:

Access to XMLHttpRequest at 'https://auth.example.com.tr/auth/realms/MyApp/protocol/openid-connect/token' from origin 'https://example.com.tr' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

So i think this is a ingress-nginx configuration error:

tried it with:

nginx.ingress.kubernetes.io/configuration-snippet: |

      if ($http_origin ~ '^https:\/\/(.*\.)?example\.(com.tr|net)$') {

        set $allow_origin $http_origin;

      }

      # Cors Preflight methods needs additional options and different Return Code

      if ($request_method = 'OPTIONS') {

        more_set_headers 'Access-Control-Allow-Origin: $allow_origin';

        more_set_headers 'Access-Control-Allow-Credentials: true';

        more_set_headers 'Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS';

        more_set_headers 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Client-Identifier';

        more_set_headers 'Access-Control-Max-Age: 1728000';

        more_set_headers 'Content-Type: text/plain charset=UTF-8';

        more_set_headers 'Content-Length: 0';

        return 204;

      }

      more_set_headers 'Access-Control-Allow-Origin: $allow_origin';

      more_set_headers 'Access-Control-Allow-Credentials: true';

      more_set_headers 'Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS';

      more_set_headers 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Client-Identifier';

and

    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
        more_set_headers "Access-Control-Allow-Origin: $http_origin";
    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
    nginx.ingress.kubernetes.io/cors-allow-methods: PUT, GET, POST, 
        OPTIONS, DELETE, PATCH

So is this a issue with my keycloak configuration or the nginx configuration which is deleting necessary headers?

Thanks in Advance

2

Your nginx CORS config is very simple for OIDC use case. Disable any CORS config on the nginx level and let your Keycloak to manage CORS headers exclusively.

You are doing something wrong if you will have CORS issue, when only Keycloak manages CORS headers.

I made my recommendations for this type of issues GitHub - jangaraj/keycloak-cors-issue-debugging: Recommendations how to solve/debug CORS issues, when Keycloak IDP is used

3

Hi jangaraj,

thanks for the response. I was fighting with this problem now for two weeks. Of course, after i wrote this post, i solved it. grr

ingress

    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-origin: "https://example.com.tr"
    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
    nginx.ingress.kubernetes.io/cors-allow-methods: PUT, GET, POST, OPTIONS, DELETE, PATCH
4

You are allowing one particular domain/origin only with this setup. Why your Keycloak users cannot use their clients on different domains?