Enabling cors plugin on consumer level #7303
Replies: 7 comments
-
Hi, thanks for giving this some thought. We will consider this feature request. In the meantime, you could try commenting out the following line: https://github.com/Kong/kong/blob/next/kong/plugins/cors/schema.lua#L29 And restarting Kong. See if that solves your issue. |
Beta Was this translation helpful? Give feedback.
-
Hi! Thx for considering it! I have tried your suggestion. I am now able to install the plugin for a consumer, but it unfortunately doesn't actually work. To be sure, I've installed the authentication plugin globally, while I installed the CORS plugin on a service. I am not sure, but I hoped this would resolve maybe issues with the order of plugins being handled. Did not work though. |
Beta Was this translation helpful? Give feedback.
-
Hi, I believe, enabling CORS plugin on consumer level is restricted due the plugin execution order. https://docs.konghq.com/2.0.x/plugin-development/custom-logic/#plugins-execution-order As per the above documentation, plugins relying on the identity of the consumer have to run after authentication plugins. In case of CORS plugin it will execute before the authentication plugin. If there is a requirement to use CORS with Consumer then please decrease the CORS plugin priority. |
Beta Was this translation helpful? Give feedback.
-
@vasuharish that seems indeed to be the case. I've got it working now with a modified CORS plugin, so i'm good. Out of interest though; what would be the use-case of catching requests with CORS before authentication? Is there a performance increase? People might get a different error of course, because this way authentication errors precede CORS errors, but we'll still be able to "disallow" requests from unknown origins after authentication. Anyway, my issue is resolved since I can make custom plugin. Thank you very much! So except if considering to change the plugin priority is an option, this issue can be closed. |
Beta Was this translation helpful? Give feedback.
-
I came across the same issue and would like to see this change. The consumer seems to me to be the most reasonable place for CORS configuration. When we onboard n API user, we create a consumer with unique credentials and access controls. If the user requires CORS, I'd rather not update a plugin on the service level with a long list of origins. |
Beta Was this translation helpful? Give feedback.
-
Is this still no progress? I think CORS should be able to use on consumer level as i see IP Restriction is on consumer level why isn't CORS available on this too. |
Beta Was this translation helpful? Give feedback.
-
Hi @jackzagger ! |
Beta Was this translation helpful? Give feedback.
-
Summary
Enabling the CORS plugin does not seem to be possible on consumer level. According to this issue this might be deliberate: #2235. But no explicit reason there, so I'm going to give it a shot as to why I think CORS is needed on a consumer level:
What I am hoping to achieve is to have the CORS plugin enabled for regular users, but disabled for 'premium' api users. Which would be possible if the plugin can be installed on consumers; in this case an anonymous user that I have already configured with one of the authentication plugins. Other - explicit - users will lack the plugin and won't be bothered by CORS.
Would this be considered a valid use case for the CORS plugin?
Beta Was this translation helpful? Give feedback.
All reactions