I have added corsPolicy on my Istio Virtual Service route so that the response contains the appropriate Access-Control-Allow-Origin header when the request contains an Origin header. It works well.
I have added oauth2-proxy using an AuthorizationPolicy with CUSTOM action. Now the response doesn't contain the Access-Control-Allow-Origin header anymore, even after successful authentication.
Is there something to do in oauth2-proxy or envoyExtAuthzHttp configuration to fix CORS support ?
I finally fixed it by adding the following EnvoyFilter:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: cors-filter
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.cors
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors"