Why is the Authorization header missing from Access-Control-Allow-Headers in a request using SignalR and http scheme?

[mtlive]

We tried to use Ocelot for our gateway, but our signalR requests (in http) ended up in Error 401 Unauthorized. I looked up the network requests and noticed that 'authorization' is missing in Access-Control-Allow-Headers:

This problem doesn't exist when connected directly or for other requests in other paths.
I even tried to create a separate route for this pass but the issue still remains.

Expected Behavior

authorization should be included in Access-Control-Allow-Headers in OPTIONS request method

Actual Behavior

It's missing

Specifications

• Version: 23.3.0
• Platform: .NET 8 (Windows)
• Subsystem:

[raman-m]

Hello @mtlive !
Welcome to Ocelot world! 🐯

Indeed, authentication and authorization have not been implemented in Ocelot for the Websockets feature. There's an ongoing issue, #1040, which is currently in progress. However, it's unclear when it will be resolved as there are no open PRs at the moment.

• For more details, see issue Authentication with SignalR  #1040.

I will mark our issue as a duplicate of #1040. At least we have implement both tickets #1040 and #2093 in one PR.
Let me know if this issue is about another dev case.

---

This problem doesn't exist when connected directly or for other requests in other paths.
I even tried to create a separate route for this pass but the issue still remains.

When you said "directly" did you try without Ocelot or with Ocelot?
Did you test anonymous route definition?
I mean if you want Authorization by Ocelot and it is not implemented, then you have to redefine to route anonym traffic only.

Show us your ocelot.json plz!

Ideally, better to upload your solution to GitHub as a repo.

[mtlive]

Indeed, authentication and authorization have not been implemented in Ocelot for the Websockets feature.

I don't do authentication at Ocelot, it'll be done at the service. Furthermore, this request isn't in WebSocket.

When you said "directly" did you try without Ocelot or with Ocelot?

By directly I mean without Ocelot.
My configuratin:

{
  "Routes": [
    {
      "DownstreamPathTemplate": "/api/{everything}",
      "DownstreamScheme": "http",
      "SwaggerKey": "officeautomation",
      "DownstreamHostAndPorts": [
        {
          "Host": "192.168.10.209",
          "Port": 5001
        }
      ],
      "UpstreamPathTemplate": "/officeautomation/api/{everything}"  
    }
  ]
}

[raman-m]

Okay, it appears I've identified the issue. However, I need to examine your C# configuration code.

🙏 Provide your Ocelot setup and configuration C# code, specifically the program.cs file❗

[raman-m]

"DownstreamScheme": "http",

Apologies for the confusion! If you're implementing SignalR, the http scheme isn't appropriate. You should use the ws or wss scheme instead. As stated in our Websockets documentation, the ws scheme is required ❗

Please update the scheme from http to ws:

• "DownstreamScheme": "ws",

There's no need to question "Why?" as this is the standard protocol.

[raman-m]

My current understanding of your problem is missing CORS setup in Ocelot web app.

• Read the docs: Enable Cross-Origin Requests (CORS) in ASP.NET Core
• Exactly what you need: Preflight requests

Also read more about CORS problems searching our repo with "UseCors"

Finally I'd say you need this setup to enable OPTIONS via CORS ASP.NET policy, from #799 (comment) 👉

        services.AddCors();
        services.AddOcelot(_config)
  
        // global cors policy
        app.UseCors(static x => x
            .AllowAnyOrigin()
            .AllowAnyMethod()
            .AllowAnyHeader()
            .DisallowCredentials()
        );

Hope it helps!

[mtlive]

I've applied your changes but it didn't solve my problem.
The weird part is this problem doesn't happen with my other services.

[raman-m]

Are other services WebSocks or HTTP?
Also, apply this recommendation plz: #2106 (reply in thread)

[raman-m]

The Authorization header may be missing in Access-Control-Allow-Headers for a specific request due to the server not including it in the preflight response. When a browser sends a preflight request, it expects certain headers to be present in the response from the server, including Authorization if it's needed for the actual request. To resolve this, ensure that the server's response to the preflight request includes Access-Control-Allow-Headers with Authorization listed. Additionally, if the request method is OPTIONS, you may need to add OPTIONS to the Access-Control-Allow-Methods header as well.

[mtlive]

My original Program.cs

public class Startup
{
    // This method gets called by the runtime. Use this method to add services to the container.
    // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddOcelot();
        services.AddSignalR();
        services.AddLogging();
        services.AddCors();
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        app.UseCors(bu =>
        {
            bu.AllowAnyMethod().AllowAnyHeader().SetIsOriginAllowed(origin => true).AllowCredentials();
        });

        app.UseOcelot().Wait();
    }
}

[raman-m]

What's your full name?
What's your social links including your LinkedIn?