OAuth2 provider and CORS #25464
Labels
Comments
|
added wireshark trace |
|
OAuth to my knowledge does not require CORS. What are you trying to do? |
|
I'm trying to delegate user Oauth2 authentication to gitea from another website and get a token session to be used to call gitea API.
|
|
It's not documented, but the CORS only applies to these handlers:
|
silverwind
added a commit
that referenced
this issue
Jul 21, 2023
…der for ".well-known" (#25974) Replace #25892 Close #21942 Close #25464 Major changes: 1. Serve "robots.txt" and ".well-known/security.txt" in the "public" custom path * All files in "public/.well-known" can be served, just like "public/assets" 3. Add a test for ".well-known/security.txt" 4. Simplify the "FileHandlerFunc" logic, now the paths are consistent so the code can be simpler 5. Add CORS header for ".well-known" endpoints 6. Add logs to tell users they should move some of their legacy custom public files ``` 2023/07/19 13:00:37 cmd/web.go:178:serveInstalled() [E] Found legacy public asset "img" in CustomPath. Please move it to /work/gitea/custom/public/assets/img 2023/07/19 13:00:37 cmd/web.go:182:serveInstalled() [E] Found legacy public asset "robots.txt" in CustomPath. Please move it to /work/gitea/custom/public/robots.txt ``` This PR is not breaking. --------- Co-authored-by: silverwind <[email protected]> Co-authored-by: Giteabot <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description
I'm trying to integrate gitea OpenId Connect authentication from another website.
I have configured the following cors parameters:
[cors]
ENABLED = true
ALLOW_DOMAIN = *
ALLOW_CREDENTIALS = true
It look like CORS is working on API, so if I try to call /packages/{owner}?, the browser includes the header Origin in the request and gitea response includes :
Access-Control-Allow-Origin: *
than if I try to use Oauth2 provider authentication the gitea response doesn't include Access-Control-Allow-Origin generating the following cors error:
Access to XMLHttpRequest at 'http://:3000/.well-known/openid-configuration' from origin 'http://:8085' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
how can I fix this?
Thanks
Gitea Version
1.19.3
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
Ubuntu 22.04.2 LTS
How are you running Gitea?
I'm running GITEA as stack on docker swarm node.
image: gitea/gitea:1.19.3
image: postgres:11-alpine
Database
PostgreSQL
The text was updated successfully, but these errors were encountered: