'authorization' is missing in Access-Control-Allow-Headers only in a specific request

[mtlive]

We tried to use Ocelot for our gateway, but our signalR requests (in http) ended up in Error 401 Unauthorized. I looked up the network requests and noticed that 'authorization' is missing in Access-Control-Allow-Headers:

This problem doesn't exist when connected directly or for other requests in other paths.
I even tried to create a separate route for this pass but the issue still remains.

Expected Behavior

authorization should be included in Access-Control-Allow-Headers in OPTIONS request method

Actual Behavior

It's missing

Specifications

• Version: 23.3.0
• Platform: .NET 8 (Windows)
• Subsystem:

[raman-m]

Hello @mtlive !
Welcome to Ocelot world! 🐯

Indeed, authentication and authorization have not been implemented in Ocelot for the Websockets feature. There's an ongoing issue, #1040, which is currently in progress. However, it's unclear when it will be resolved as there are no open PRs at the moment.

• For more details, see issue Authentication with SignalR  #1040.

I will mark our issue as a duplicate of #1040. At least we have implement both tickets #1040 and #2093 in one PR.
Let me know if this issue is about another dev case.

---

This problem doesn't exist when connected directly or for other requests in other paths.
I even tried to create a separate route for this pass but the issue still remains.

When you said "directly" did you try without Ocelot or with Ocelot?
Did you test anonymous route definition?
I mean if you want Authorization by Ocelot and it is not implemented, then you have to redefine to route anonym traffic only.

Show us your ocelot.json plz!

Ideally, better to upload your solution to GitHub as a repo.

[mtlive]

Indeed, authentication and authorization have not been implemented in Ocelot for the Websockets feature.

I don't do authentication at Ocelot, it'll be done at the service. Furthermore, this request isn't in WebSocket.

When you said "directly" did you try without Ocelot or with Ocelot?

By directly I mean without Ocelot.
My configuratin:

  "Routes": [
    {
      "DownstreamPathTemplate": "/api/{everything}",
      "DownstreamScheme": "http",
      "SwaggerKey": "officeautomation",
      "DownstreamHostAndPorts": [
        {
          "Host": "192.168.10.209",
          "Port": 5001
        }
      ],
      "UpstreamPathTemplate": "/officeautomation/api/{everything}"  
    }
  ]
}

[raman-m]

Okay, it appears I've identified the issue. However, I need to examine your C# configuration code.

🙏 Provide your Ocelot setup and configuration C# code, specifically the program.cs file❗

My current understanding of your problem is missing CORS setup in Ocelot web app.

• Read the docs: Enable Cross-Origin Requests (CORS) in ASP.NET Core
• Exactly what you need: Preflight requests

Finally I'd say you need this setup to enable OPTIONS via CORS:

[raman-m]

Apologies, this isn't an actual issue but rather a misconfiguration. I will convert this to a discussion...