Using gitea as OIDC provider - CORS problem

[morphelinho]

Description

I want to use my own hosted gitea instance as OIDC provider for a test SPA based on angular-oauth2-oidc.

Request for oidc discovery is blocked with error message:
Access to XMLHttpRequest at 'https://gitea-instance/.well-known/openid-configuration' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Enabling cors in gitea-instance via

[cors]
ENABLED = true
ALLOW_DOMAIN = *

does unblock this request but the follow up request for autodiscovery is blocked too:

Access to XMLHttpRequest at 'https://gitea-instance/login/oauth/keys' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Any help would be appreciated.

Gitea Version

Gitea version: 1.21.2 built with GNU Make 4.4.1, go1.21.5 : bindata, timetzdata, sqlite, sqlite_unlock_notify

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker image gitea/gitea:latest in self hosted bare metal kubernetes single node cluster.

Database

None

[wxiaoguang]

Same as #28184 (comment) , the keys handler was never covered by CORS. You could try to add m.Options("/login/oauth/keys", CorsHandler(), misc.DummyBadRequest) to code and build your own binary to see whether it works well.

[morphelinho]

As suggested I tested with a local build image containing the following modification in routers/web/web.go:
m.Options("/login/oauth/userinfo", CorsHandler(), misc.DummyBadRequest)
m.Options("/login/oauth/keys", CorsHandler(), misc.DummyBadRequest)
This solution fixes the problem mentioned in #28184 with

Request URL: https://gitea-instance/login/oauth/userinfo
Request Method: OPTIONS
Status Code: 405 Method Not Allowed

curl -v -X OPTIONS --header "Access-Control-Request-Method: POST" http://localhost:3000/login/oauth/access_token
* Host localhost:3000 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:3000...
* Connected to localhost (::1) port 3000
> OPTIONS /login/oauth/access_token HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/8.5.0
> Accept: */*
> Access-Control-Request-Method: POST
> 
< HTTP/1.1 200 OK
< Cache-Control: max-age=0, private, must-revalidate, no-transform
< Set-Cookie: i_like_gitea=b38d09d373f10a89; Path=/; HttpOnly; Secure; SameSite=Lax
< Set-Cookie: _csrf=FAozEmPNoyRVc9m0zMfB2zRhYLE6MTcwMzIzNDA0MTczODQ3NzU5OQ; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< X-Frame-Options: SAMEORIGIN
< Date: Fri, 22 Dec 2023 08:34:01 GMT
< Content-Length: 0
< 
* Connection #0 to host localhost left intact

Unfortunately this does not fix CORS problem Access to XMLHttpRequest at 'https://gitea-instance/login/oauth/keys' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Comparing requests from inside the docker container to /.well-known/openid-configuration (working fine with configured CORS) and /login/oauth/keys (does not work with configured CORS) reveals a slighty different behaviour in the response: a missing Vary: Origin header

gitea-657d8d55f-zsvpz:/# curl -v -X GET http://localhost:3000/.well-known/openid-configuration
Note: Unnecessary use of -X or --request, GET is already inferred.
* Host localhost:3000 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:3000...
* Connected to localhost (::1) port 3000
> GET /.well-known/openid-configuration HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Cache-Control: max-age=0, private, must-revalidate, no-transform
< Content-Type: application/json
< Set-Cookie: i_like_gitea=41703721bbe40e8f; Path=/; HttpOnly; Secure; SameSite=Lax
< Set-Cookie: _csrf=2CKS9AezAEu7Jnu5JC1shgSvWMw6MTcwMzIzNjE1MTU5NjAzNDEzNA; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax
< Vary: Origin
< X-Frame-Options: SAMEORIGIN
< Date: Fri, 22 Dec 2023 09:09:11 GMT
< Content-Length: 1202
< 

gitea-657d8d55f-zsvpz:/# curl -v -X GET http://localhost:3000/login/oauth/keys
Note: Unnecessary use of -X or --request, GET is already inferred.
* Host localhost:3000 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:3000...
* Connected to localhost (::1) port 3000
> GET /login/oauth/keys HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: max-age=0, private, must-revalidate, no-transform
< Content-Type: application/json
< Set-Cookie: i_like_gitea=8501161059fe4bca; Path=/; HttpOnly; Secure; SameSite=Lax
< Set-Cookie: _csrf=fRxN0IMo5_6nV1T7xqbsCu1Ma-w6MTcwMzIzNjE5NjM2NDMwOTY0MA; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax
< X-Frame-Options: SAMEORIGIN
< Date: Fri, 22 Dec 2023 09:09:56 GMT
< Content-Length: 804
<

According to Understanding the Importance of “Vary: Origin” to Prevent Cache Confusion and CORS Errors this might be the root cause why CORS is not working as expected.

Unfortunately i am not that deep dived enough to fix missing Vary: Origin header in /login/oauth/keys and /login/oauth/userinfo on my own and would appreciate any help.

[wxiaoguang]

Thank you for your PR.

After #28583 gets merged, I will propose some following fixes.

[wxiaoguang]

-> Refactor CORS handler #28587