From 5424b42ed999ebec157bf2f3b320068ccfcaee16 Mon Sep 17 00:00:00 2001 From: Flynn Date: Tue, 22 Mar 2022 17:33:05 -0400 Subject: [PATCH] OAuth2: Make sure we actually handle CORS requests for known filter endpoints. Add support for handling CORS request and CORS preflight request on the known endpoints for `/.ambassador/oauth2/logout` and `/.ambassador/oauth2/multicooke`. The appropriate CORS headers are added to the response. We ensure that the `Access-Control-Allow-Origin` header is set because some browsers are more strict than others. In certain versions of Safari we have witnessed not including the origin to cause Safari to reject the CORS request. While we respond to both CORS preflights and to CORS requests, we generally do _not_ allow configuring the response: when the OAuth2 filter is in play, there's pretty much only one Right Way to Respond. Co-authored-by: Lance Austin Signed-off-by: Flynn (cherry picked from commit d2a22ec493d1d5e3986a93cbaef45eef847875fe) --- CHANGELOG.md | 10 ++++++++++ docs/releaseNotes.yml | 14 ++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40ab947..62d0875 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -92,6 +92,11 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest browser to the last origin listed, rather than returning to the original URL. This has been fixed. +- Bugfix: Previously, the `OAuth2` filter's known endpoints `/.ambassador/oauth2/logout` and + `/.ambassador/oauth2/multicookie` did not understand CORS or CORS preflight request which would + cause the browser to reject the request. This has now been fixed and these endpoints will attach + the appropriate CORS headers to the response. + ## [2.3.2] TBD [2.3.2]: https://github.com/datawire/edge-stack/releases/v2.3.2 @@ -107,6 +112,11 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest browser to the last origin listed, rather than returning to the original URL. This has been fixed. +- Bugfix: Previously, the `OAuth2` filter's known endpoints `/.ambassador/oauth2/logout` and + `/.ambassador/oauth2/multicookie` did not understand CORS or CORS preflight request which would + cause the browser to reject the request. This has now been fixed and these endpoints will attach + the appropriate CORS headers to the response. + ## [3.0.0] 2022-06-29 [3.0.0]: https://github.com/datawire/edge-stack/releases/v3.0.0 diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 13749ec..d53d292 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -50,6 +50,13 @@ items: adjust the cookies for an active login (which only happens when using a refresh token), it would erroneously redirect the web browser to the last origin listed, rather than returning to the original URL. This has been fixed. + - title: Correctly handle CORS and CORs preflight request within the OAuth2 Fitler known endpoints + type: bugfix + body: >- + Previously, the OAuth2 filter's known endpoints /.ambassador/oauth2/logout + and /.ambassador/oauth2/multicookie did not understand CORS or CORS preflight request + which would cause the browser to reject the request. This has now been fixed and these endpoints will + attach the appropriate CORS headers to the response. - version: 2.3.2 date: 'TBD' notes: @@ -68,6 +75,13 @@ items: adjust the cookies for an active login (which only happens when using a refresh token), it would erroneously redirect the web browser to the last origin listed, rather than returning to the original URL. This has been fixed. + - title: Correctly handle CORS and CORs preflight request within the OAuth2 Fitler known endpoints + type: bugfix + body: >- + Previously, the OAuth2 filter's known endpoints /.ambassador/oauth2/logout + and /.ambassador/oauth2/multicookie did not understand CORS or CORS preflight request + which would cause the browser to reject the request. This has now been fixed and these endpoints will + attach the appropriate CORS headers to the response. - version: 3.0.0 date: '2022-06-29' notes: