OPTIONS requests

Question

OPTIONS requests

Timer opened this issue 6 years ago · 4 comments

Http OPTIONS requests typically skip authorization because credentials are always omitted in CORS requests -- is there a way we can configure this behavior?

Motivation:

I have two apps,
calls.example.com and calls-api.example.com and am trying to share credentials between them. Calls from the web to api fail on OPTIONS requests because auth is required, but not permitted per the specification.

Answer 1 · 2018-11-19T21:55:32.000Z

Unfortunately there is anything could be done on this application, if there is some configuration it should be done on nginx itself, in order to test authentication on this application on receiving a OPTIONS request.

Answer 2 · 2018-11-19T22:05:46.000Z

Sorry, I misunderstood your question, what you need is a conditional auth test, right? For now I recommend you make it on nginx, I believe there is a match you can perform on the request, but it is true that a future version will allow it:

https://github.com/tiagoapimenta/nginx-ldap-auth/blob/next/config.sample.yaml
History:
https://github.com/tiagoapimenta/nginx-ldap-auth/blob/8c94852/config.sample.yaml

Answer 3 · 2018-11-19T22:10:33.000Z

But have said that, it will only allow you to configure different authentication rules depending on some headers, and it is planned a special rule called allowAnonymous that may be what you need.

Answer 4 · 2018-11-20T01:25:47.000Z

what you need is a conditional auth test, right

Yes, based on HTTP header. This sounds like what I need.