OPTIONS Method not passing through ForwardAuth

Traefik Traefik v3 (latest)
,
1

I have recently built a POC to test using the ForwardAuth middleware on a traefik v3 IngressRoute to process a firebase token. The ForwardAuth uses a spring boot app to validate and parse the token. The service that the request gets forwarded to is also a spring boot app. We are making calls from a vuejs app. Ultimately, Vue -> Traefik::ForwardAuth -> REST API service.

I will admit I have limited experience with Traefik, and am coming from a little more experience with KONG. I have found that the preflight request (Method.OPTIONS) is failing at the middleware. The only way around it is I either have to remove the ForwardAuth middleware from the IngressRoute or add an extra route to handle the Options method.

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: forward-auth
  namespace: traefik
spec:
  forwardAuth:
    address: "http://auth-validator.traefik.svc.cluster.local/api/auth/v1/validate"
    trustForwardHeader: true
    authResponseHeadersRegex: ^X-
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: api-ingress-route-options
  namespace: traefik
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`example.com`) && PathPrefix(`/api/v1`) && Method(`OPTIONS`)
      kind: Rule
      services:
        - name: rest-api
          namespace: external-apis
          port: 8080

By doing this the Options call skips the middleware. I feel there has got to be another way, but have not been able to find anything on forums or in the docs.

Any advice on handling CORS with ForwardAuth would be greatly appreciated.

1 Like
2

It seems it’s not mentioned in the doc. If you think it’s a bug, you can report it on Traefik Github. A reproducible example always helps there.

1 Like
3

@gmcclellan when you say failing at the middleware, you have seen it failing at Traefik logs ? Or at your auth-validator app logs?

4

I haven't seen errors show up in the logs. What I observe is that I the vue app preflight call to OPTIONS returns a 400 error when the middleware is enabled. If I disable the middleware on the exact path, or enable the OPTIONS method to bypass the middleware it goes right through. So, it could be a number of things. It could have something to do with the authenticator service the forward auth plugin performs the check against may have to do something (although I can only think something to do with CORS configurations but have tried a lot of variations), or it might be some other traefik route feature I need to enable, either way I'm not finding anything in forums or in documentation. It does feel like Forward Auth should have some type of global pattern match that you can have it ignore but I haven't seen anything like that in docs.

Putting the traefik load balancer service in debug mode I get this error that correlates in the logs to the time I run it.

traefik-8694b9f949-fbx9b 2025-02-19T03:41:26Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/forward.go:223 > Remote error http://auth-service.traefik.svc.cluster.local/api/v1/authenticate. StatusCode: 400 middlewareName=traefik-forward-auth@kubernetescrd middlewareType=ForwardAuth