I’m trying to get CORS plugin working in Kong API. 2.5.1.0
Currently I get the following error in the browser:
Access to XMLHttpRequest at ‘https://api.domain/gateway/booking-management/2.0/users?userId=TI0003’ from origin ‘https://origindomain’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
HTTP Request for preflight looks like:
Request URL: https://api.host/gateway/booking-management/2.0/users?userId=TI0003
Request Method: OPTIONS
Status Code: 404 Not Found
Remote Address: ipaddress:443
Referrer Policy: strict-origin-when-cross-origin
Response Header
Connection: keep-alive
Content-Length: 48
Content-Type: application/json; charset=utf-8
Date: Fri, 18 Feb 2022 02:29:36 GMT
Server: kong/2.5.1.0-enterprise-edition
X-Kong-Response-Latency: 1
Request Header:
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en-AU;q=0.9,en;q=0.8
Access-Control-Request-Headers: authorization,authorizationbasic,clientname,content-type
Access-Control-Request-Method: POST
Cache-Control: no-cache
Connection: keep-alive
Host: api.host
Origin: https://origindomain
Pragma: no-cache
Referer: https://origindomain/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
yaml configuration has cors enabled at the service level (though I’ve also tried to add cors at route level)
Yaml version format version is: _format_version: “0.1”
config:
credentials: true
exposed_headers:
- Authorization
- AuthorizationBasic
- ClientName
- Access-Control-Allow-Origin
- Access-Control-Allow-Methods
- Access-Control-Expose-Headers
headers:
- Accept
- Cache-Control
- Authorization
- Content-Type
- ClientName
- AuthorizationBasic
- Content-Length
- Access-Control-Allow-Origin
max_age: 3600
methods:
- GET
- POST
- PATCH
- HEAD
- OPTIONS
origins:
- '*'
preflight_continue: false
enabled: true
name: cors
protocols:
- grpc
- grpcs
- http
- https
Below is the route. Note: I’ve tried adding Options method to main route, but below I have add seperate preflight route … to no avail
- headers:
ClientName:
- DEMOPROD
https_redirect_status_code: 426
methods:
- GET
- POST
- PUT
- DELETE
- PATCH
- HEAD
name: Demo_PROD_V2_Users
path_handling: v0
paths:
- /gateway/booking-management/2.0/users
plugins:
- config:
<acl auth>
- config:
<introspection auth>
- config:
<request transformer>
- config:
<route-by-header>
preserve_host: false
protocols:
- http
- https
regex_priority: 0
request_buffering: true
response_buffering: true
strip_path: true
and the preflight route:
headers:
ClientName:
- DEMOPROD
https_redirect_status_code: 426
methods:
- OPTIONS
name: Demo_PROD_V2_Users_Preflight
path_handling: v0
paths:
- /gateway/booking-management/2.0/users
preserve_host: false
protocols:
- http
- https
regex_priority: 0
request_buffering: true
response_buffering: true
strip_path: true
The service uses keycloak for oauth2 introspection
- implementation:
kong:
service:
connect_timeout: 60000
host: keycloak.domain
id: 9d67b5f2-9b65-4c69-8a01-03e9dacd335a
path: /auth/realms/{realmname}/protocol/openid-connect/token
Any help would be greatly appreciated