Hi,
I’m using keycloak in k8s behind ingress-nginx reverse proxy with SSL.
I’ve done all the mentioned proxy settings on server and client side.
Also including the web-origins settings with:
- /+
- https://example.com.tr
- /*
The slash on plus and star is only for this topic request
But when i login to my react app, i got the CORS error:
Access to XMLHttpRequest at 'https://auth.example.com.tr/auth/realms/MyApp/protocol/openid-connect/token' from origin 'https://example.com.tr' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
So i think this is a ingress-nginx configuration error:
tried it with:
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($http_origin ~ '^https:\/\/(.*\.)?example\.(com.tr|net)$') {
set $allow_origin $http_origin;
}
# Cors Preflight methods needs additional options and different Return Code
if ($request_method = 'OPTIONS') {
more_set_headers 'Access-Control-Allow-Origin: $allow_origin';
more_set_headers 'Access-Control-Allow-Credentials: true';
more_set_headers 'Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS';
more_set_headers 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Client-Identifier';
more_set_headers 'Access-Control-Max-Age: 1728000';
more_set_headers 'Content-Type: text/plain charset=UTF-8';
more_set_headers 'Content-Length: 0';
return 204;
}
more_set_headers 'Access-Control-Allow-Origin: $allow_origin';
more_set_headers 'Access-Control-Allow-Credentials: true';
more_set_headers 'Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS';
more_set_headers 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Client-Identifier';
and
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Access-Control-Allow-Origin: $http_origin";
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: PUT, GET, POST,
OPTIONS, DELETE, PATCH
So is this a issue with my keycloak configuration or the nginx configuration which is deleting necessary headers?
Thanks in Advance