Replies: 3 comments 2 replies
-
The issue is most likely that the preflight doesn't include credentials (cookie header). This either needs to be fixed by the app developer or you need to setup a bypass rule the preflight requests. |
Beta Was this translation helpful? Give feedback.
-
Thanks James, I've tried also to include the suggested doc setup, but it does not work.
It only works if I bypass them completely (as mentioned above, tested with bypass on local networks). |
Beta Was this translation helpful? Give feedback.
-
Is that even possible? The other domain ( So the workflow is like this: the main app Outline is protected by oidc, having its main domain at Maybe the second domain doesn't need protection? Anyway, this is a weird situation. LE: it seems the cookies are not included in the POST request. If I bypass POST, it works.
GET requests are passed correctly: |
Beta Was this translation helpful? Give feedback.
-
I've been struggling to find a solution to this, to no end.
So I have outline setup with OIDC.
The main subdomain
wiki.domain
needs to make requests towikidata.domain
in order to upload images.I've setup cors policy in caddy v2, but all the time I have this error in browser.
Access to XMLHttpRequest at 'https://wikidata.domain.net/outline' from origin 'https://wiki.domain.net' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
I've configured it correctly with cors snippet, it should respond with 204 but somehow it still redirects
My caddy snippet:
If I bypass for internal ip for wiki.domain and wikidata.domain in authelia, the uploads work, so this makes me think the issue is with authelia rather than my cors reverse proxy setup
Could you point me in the right direction?
My identity providers cors setting (I've tried with "*" as well), doesnt work.
Authelia log during request:
time="2023-03-01T20:55:12+02:00" level=info msg="Access to https://wikidata.domain.net/outline (method OPTIONS) is not authorized to user <anonymous>, responding with status code 302 with location redirect to https://auth.domain.net/?rd=https%3A%2F%2Fwikidata.domain.net%2Foutline&rm=OPTIONS" method=GET path=/api/verify remote_ip=192.168.1.153
I also found this at https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#preflighted_requests
However I do not know how should I adapt this.
Any insights?
Beta Was this translation helpful? Give feedback.
All reactions