No CORS headers on OPTIONS /oauth/token
Summary
/oauth/token
endpoint doesn't respond with CORS headers on a preflight OPTIONS request.
Steps to reproduce
Do a OPTIONS request with an origin != gitlab.com to https://gitlab.com/oauth/token by a OAuth2 application running in an environment with CORS support, a browser for example. The request is rejected by the browser with CORS violation:
Access to fetch at 'https://gitlab.com/oauth/token' from origin 'https://blabla.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Example Project
What is the current bug behaviour?
- No support for
OPTIONS
requests for CORS preflight requests.
What is the expected correct behaviour?
- Support
OPTIONS
requests for CORS preflight.
Relevant logs and/or screenshots
Relevant issues:
Output of checks
This bug happens on GitLab.com
Possible fixes
Designs
- Show closed items
Relates to
Activity
-
Newest first Oldest first
-
Show all activity Show comments only Show history only
- Uladzimir Tryputska mentioned in issue #300077 (closed)
mentioned in issue #300077 (closed)
- Stan Hu added typefeature label
added typefeature label
- Stan Hu mentioned in merge request !89566 (merged)
mentioned in merge request !89566 (merged)
!89566 (merged) should handle this.
Collapse replies If anyone needs those, feel free to open a merge request. I'm closing this because !89566 (merged) should be live soon on GitLab.com.
- Maintainer
Setting label(s) devopsmanage sectiondev based on ~"group::authentication and authorization".
- 🤖 GitLab Bot 🤖 added devopsmanage sectiondev labels
added devopsmanage sectiondev labels
- Stan Hu closed
closed
- Author
@stanhu is the fix deployed? because issue is still present
Collapse replies @Uladzimir.Tryputska The fix is deployed. How are you testing? I did this:
curl -v -H "Origin: myhost.com" -X OPTIONS -v "https://gitlab.com/oauth/token?grant_type=client_credentials&client_id=MY-CLIENT-ID&client_secret=MY-CLIENT-SECRET&redirect_uri=https://test.example.org/mycallback"
And I see this in the output:
< HTTP/2 200 < date: Wed, 22 Jun 2022 17:00:43 GMT < content-type: application/json; charset=utf-8 < content-length: 147 < access-control-allow-methods: POST, OPTIONS < access-control-allow-origin: * < access-control-expose-headers: < access-control-max-age: 7200 < cache-control: no-store
- Author
@stanhu curl is copied from my browser
curl 'https://gitlab.com/oauth/token' \ -X 'OPTIONS' \ -H 'authority: gitlab.com' \ -H 'accept: */*' \ -H 'accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,ru;q=0.6' \ -H 'access-control-request-headers: x-requested-with' \ -H 'access-control-request-method: POST' \ -H 'cache-control: no-cache' \ -H 'origin: https://example.com' \ -H 'pragma: no-cache' \ -H 'referer: https://example.com/' \ -H 'sec-fetch-dest: empty' \ -H 'sec-fetch-mode: cors' \ -H 'sec-fetch-site: cross-site' \ -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36' \ -v
and response is
< HTTP/1.1 200 OK < Date: Thu, 23 Jun 2022 07:15:17 GMT < Content-Length: 0 < Connection: keep-alive < Cache-Control: no-cache < X-Request-Id: 01G67PMKN6ZMRA0JA4HSWKBNHA < X-Runtime: 0.000588 < GitLab-LB: fe-15-lb-gprd < GitLab-SV: web-gke-us-east1-b < CF-Cache-Status: DYNAMIC < Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" < Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=XXJ84YytUPVG6S4y2lP2fqxWYfejN%2FNaKWCW5QmTps6Py%2BGnGJBRQkSOIZvp1VYYp5SPk2kaxu7ZYjeawOT%2F5wiA5SO%2FamdqE6YFxZRkAA6EUAUg9c9CbCJDNhQ%3D"}],"group":"cf-nel","max_age":604800} < NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} < Strict-Transport-Security: max-age=31536000 < X-Content-Type-Options: nosniff < Server: cloudflare < CF-RAY: 71fb6e828bb07162-DUS
Edited by Uladzimir Tryputska It seems that
access-control-request-headers: x-requested-with
is not allowed. Currently only theAuthorization
header is allowed. Omitting that header also works.This is denying the CORS header as a result: https://github.com/cyu/rack-cors/blob/6fbc109450f872bc12ab987f4b027f250b79d295/lib/rack/cors.rb#L392-L395
- Author
yes, exactly. swagger-ui sends this header and currently applications using swagger cannot be integrated with Gitlab oAuth. Link from the task description to the relevant swagger ticket https://github.com/swagger-api/swagger-ui/issues/6081
cc: @mitar
Edited by Uladzimir Tryputska
- Uladzimir Tryputska reopened
reopened
- 🤖 GitLab Bot 🤖 changed milestone to %15.2
changed milestone to %15.2
- 🤖 GitLab Bot 🤖 added missed:15.1 label
added missed:15.1 label
- 🤖 GitLab Bot 🤖 added [deprecated] Accepting merge requests label
added [deprecated] Accepting merge requests label
- Stan Hu mentioned in merge request !91156 (merged)
mentioned in merge request !91156 (merged)
- Author
Issue still exists.
Maybe you have a plan when a fix will be deployed? Collapse replies
- 🤖 GitLab Bot 🤖 changed milestone to %15.3
changed milestone to %15.3
- 🤖 GitLab Bot 🤖 added missed:15.2 label
added missed:15.2 label
- Developer
FYI @stanhu on the chatter here since it looks like you were involved originally
Collapse replies I'm aware of this chatter. I'm not working on this moment since I have much higher priority items to address, and this feature is working as designed. The issue seems like a Swagger compatibility question. There's enough context here for someone else to submit a merge request.
- Hannah Sutor changed milestone to %Backlog
changed milestone to %Backlog
- Stan Hu added [deprecated] good for new contributors label
added [deprecated] good for new contributors label
Is this #369945 (closed) same problem as this issue?
Collapse replies - Author
yes, it looks like the issue nature is the the same, but happens because of other request headers
- Justin Ho Tuan Duong mentioned in commit 85e691ab
mentioned in commit 85e691ab
- Justin Ho Tuan Duong mentioned in issue #375270 (closed)
mentioned in issue #375270 (closed)
- Arturo Herrero marked this issue as related to #375270 (closed)
marked this issue as related to #375270 (closed)
- Maintainer
We are fixing this issue while working on #375270 (closed).
I'm assigning @Andysoiron @bmarjanovic here as they are already assigned to the other issue.
Edited by Arturo Herrero - Arturo Herrero changed milestone to %15.6
changed milestone to %15.6
- Arturo Herrero added backend label
added backend label
- Arturo Herrero assigned to @Andysoiron and @bmarjanovic
assigned to @Andysoiron and @bmarjanovic
- Arturo Herrero set weight to 0
set weight to 0
- 🤖 GitLab Bot 🤖 removed [deprecated] Accepting merge requests label
removed [deprecated] Accepting merge requests label
- Bojan Marjanovic mentioned in merge request !98705 (merged)
mentioned in merge request !98705 (merged)
- Bojan Marjanovic added workflowin review label
added workflowin review label
- Maintainer
Work finished in: !100702 (merged), and merged into !98705 (merged)
- Maintainer
This is still in-review with !98705 (merged) that it was previously blocked by !98437 (merged), but there are no blockers anymore.
- Maintainer
@Andysoiron having !98705 (merged) closed, we should be able to close this one, correct?
Collapse replies - Maintainer
Yes
- Andy Schoenen closed
closed
- Bojan Marjanovic added workflowpost-deploy-db-production label and removed workflowin review label
added workflowpost-deploy-db-production label and removed workflowin review label
- Thong Kuah mentioned in issue omnibus-gitlab#5425 (closed)
mentioned in issue omnibus-gitlab#5425 (closed)
- Jessie Young mentioned in issue #369945 (closed)
mentioned in issue #369945 (closed)
- Jessie Young mentioned in issue #424378 (closed)
mentioned in issue #424378 (closed)