Teleport App to App CORS error

[JoeSpiral]

Expected behavior:
Teleport would proxy requests from one app to another without CORS error.

Current behavior:
Currently we are getting the following CORS error:

Access to fetch at 'https://test-auth.teleport.test.us/v2/test/auth' from origin 'https://test.teleport.test.us' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Bug details:

• Teleport version: 17.0.5

• Recreation steps
  Hitting the test app hits an AWS Amplify endpoint and works without issue. This then produces a login page. The actual authentication hits the test-auth app which redirects to a backend service that does SAML auth. It never gets that far. The browser kills it with the error above. Preflight does work though. I have no issues turning off CORS for these apps if possible and the easiest way forward.

• Config

version: v3
teleport:
  nodename: test.test.com
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  cluster_name: teleport.test.com
  proxy_listener_mode: multiplex
ssh_service:
  enabled: "yes"
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
proxy_service:
  enabled: "yes"
  web_listen_addr: 0.0.0.0:443
  public_addr: teleport.test.com:443
  https_keypairs: []
  https_keypairs_reload_interval: 0s
  acme:
    enabled: "yes"
    email: xxx

app_service:
  enabled: "yes"
  apps:
  - name: "test"
    uri: "https://test-secure.test.com"
    public_addr: "test.teleport.test.com"
    required_apps:
      - 'test-auth'
    cors:
      allowed_origins:
        - '*'
      allowed_methods:
        - 'GET'
        - 'POST'
        - 'PUT'
        - 'DELETE'
        - 'OPTIONS'
      allowed_headers:
        - 'Content-Type'
        - 'Authorization'
        - 'X-Custom-Header'
        - 'Access-Control-Allow-Origin'
      exposed_headers:
        - 'Content-Type'
        - 'X-Custom-Response-Header'
        - 'Authorization'
        - 'X-Custom-Header'
        - 'Access-Control-Allow-Origin'
      allow_credentials: true
  - name: "test-auth"
    uri: "https://test-auth.test.com"
    public_addr: "test-auth.teleport.test.com"
    rewrite:
      headers:
      - 'Origin: https://test-auth.teleport.test.com'
      - 'Host: test-auth.teleport.test.com'
      redirect:
      - 'test-auth.test.com'
    cors:
      allowed_origins:
        - 'https://test-auth.teleport.test.com'
        - 'https://test.teleport.test.com'
        - 'https://teleport.test.com'
      allowed_methods:
        - 'GET'
        - 'POST'
        - 'PUT'
        - 'DELETE'
        - 'OPTIONS'
      allowed_headers:
        - 'Content-Type'
        - 'Authorization'
        - 'X-Custom-Header'
        - 'Access-Control-Allow-Origin'
      exposed_headers:
        - 'Content-Type'
        - 'X-Custom-Response-Header'
        - 'Authorization'
        - 'X-Custom-Header'
        - 'Access-Control-Allow-Origin'
      allow_credentials: true

[zmb3]

The actual authentication hits the test-auth app which redirects to a backend service that does SAML auth. It never gets that far. The browser kills it with the error above.

It looks like you've correctly configured allowed_origins for the test-auth app. Can you share the response to the preflight request? Is the Access-Control-Allow-Origin header present?

[JoeSpiral]

@zmb3 ,
Thanks for looking here are the responses to the preflight:

General:

Request URL:
https://test-auth.teleport.test.com/v2/test/auth
Request Method:
OPTIONS
Status Code:
200 OK
Remote Address:
2.23.254.175:443
Referrer Policy:
strict-origin-when-cross-origin

Response Headers:

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type,Authorization,X-Custom-Header,Access-Control-Allow-Origin
Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS
Access-Control-Allow-Origin: https://test.teleport.test.com
Date: Thu, 19 Dec 2024 21:24:07 GMT
Content-Length: 0

Request Headers

OPTIONS /v2/test/auth HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-com,en;q=0.9
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Connection: keep-alive
Host: test-auth.teleport.test.com
Origin: https://test.teleport.test.com
Referer: https://test.teleport.test.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36

[avatus]

The Access-Control-Allow-Origin in the posted response above is correctly set to the requesting URL (i know its test data, but assuming it matches). Teleport sets the initial CORS preflight with the requested origin if its allowed in the spec. My cursory glance means the preflight is getting through Teleport and then failing at the destination app. Just to make sure, have you updated the CORS on the destination app to handle this origin as well?

[programmerq]

Another thing to consider is you may not want to force Origin: https://test-auth.teleport.test.com on the test-auth app. Instead, allow the browser-provided Origin through to avoid overwriting an expected value.