From cd2280b5ed0861c46579cc2d0418487b656f1a8c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moritz=20J=C3=B6rg?= <moritz.jorg@oceanbox.io>
Date: Sat, 14 Mar 2026 17:26:40 +0100
Subject: [PATCH] fix(dex): Allow cors

---
 values/dex/values/values.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/values/dex/values/values.yaml b/values/dex/values/values.yaml
index 430151d2..7b638d42 100644
--- a/values/dex/values/values.yaml
+++ b/values/dex/values/values.yaml
@@ -14,7 +14,7 @@ config:
         mode: disable
   web:
     http: 0.0.0.0:5556
-    allowedOrigins: ["*"]
+    # CORS is handled by nginx ingress annotations below instead of at the application level
   frontend:
     # theme: light
     theme: coreos
@@ -159,6 +159,12 @@ ingress:
     cert-manager.io/cluster-issuer: letsencrypt-production
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    # CORS: allow browser-based OIDC flows (e.g. token introspection, JWKS fetch)
+    # TODO: migrate to Gateway API HTTPRoute with ResponseHeaderModifier filter when cilium gateway supports it cluster-wide
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/cors-allow-origin: "*"
+    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, OPTIONS"
+    nginx.ingress.kubernetes.io/cors-allow-headers: "Authorization, Content-Type"
   hosts:
     - host: auth.adm.oceanbox.io
       paths: