Handling clientID/password from k8s secret

Dockerfile

@@ -1,32 +1,48 @@
-FROM golang:alpine as builder
+FROM golang:alpine AS deps
+
+WORKDIR /app
+COPY go.mod go.sum ./
+RUN sed -i '/replace/d' go.mod
+RUN cat go.mod
+RUN go mod download
+
+#----------------------------------------------------------------------------------------------
+
+FROM golang:alpine AS builder
 
 ARG HOSTNAME=http://localhost
 ARG NAME=local
 
-WORKDIR /app 
+RUN apk add git
+
+RUN go install github.com/beego/bee/v2@latest
+
+WORKDIR /oc-auth 
+
+COPY --from=deps /go/pkg /go/pkg
+COPY --from=deps /app/go.mod /app/go.sum ./
+
+RUN export CGO_ENABLED=0 && \
+    export GOOS=linux && \
+    export GOARCH=amd64 && \
+    export BUILD_FLAGS="-ldflags='-w -s'"
 
 COPY . .
 
-RUN apk add git
+RUN sed -i '/replace/d' go.mod
+RUN bee pack
+RUN mkdir -p /app/extracted && tar -zxvf oc-auth.tar.gz -C /app/extracted
+RUN sed -i 's/http:\/\/127.0.0.1:8080\/swagger\/swagger.json/swagger.json/g' /app/extracted/swagger/index.html
 
-RUN go get github.com/beego/bee/v2 && go install github.com/beego/bee/v2@master
+#----------------------------------------------------------------------------------------------
 
-RUN timeout 15 bee run -gendoc=true -downdoc=true -runmode=dev || :
+FROM golang:alpine
-
-RUN sed -i 's/http:\/\/127.0.0.1:8080\/swagger\/swagger.json/swagger.json/g' swagger/index.html
-
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-w -s" .
-
-RUN ls /app
-
-FROM scratch
 
 WORKDIR /app
-
+COPY --from=builder /app/extracted/oc-auth /usr/bin
-COPY --from=builder /app/oc-auth /usr/bin/ 
+COPY --from=builder /app/extracted/swagger /app/swagger
-COPY --from=builder /app/swagger /app/swagger
+COPY --from=builder /app/extracted/pem /app/pem
-
+COPY --from=builder /app/extracted/docker_auth.json /etc/oc/auth.json
-COPY docker_auth.json /etc/oc/auth.json
 
 EXPOSE 8080
 

Makefile

@@ -0,0 +1,27 @@
+.DEFAULT_GOAL := all
+
+build: clean
+	bee pack
+
+run:
+	bee run -gendoc=true -downdoc=true
+
+debug:
+	bee run -downdebug -gendebug
+
+clean:
+	rm -rf oc-auth oc-auth.tar.gz
+
+docker:
+	DOCKER_BUILDKIT=1 docker build -t oc/oc-auth:0.0.1 -f Dockerfile .
+	docker tag oc/oc-auth:0.0.1 oc/oc-auth:latest
+
+publish-kind:
+	kind load docker-image oc/oc-auth:0.0.1 --name opencloud
+
+publish-registry:
+	@echo "TODO"
+
+all: docker publish-kind publish-registry
+
+.PHONY: build run clean docker publish-kind publish-registry

conf/config.go

@@ -13,9 +13,12 @@ type Config struct {
 	LDAPBaseDN     string
 	LDAPRoleBaseDN string
 
-	ClientSecret string
+	ClientSecret                string
+	OAuth2ClientSecretName      string
+	OAuth2ClientSecretNamespace string
 
 	Auth                   string
+	AuthConnectPublicHost  string
 	AuthConnectorHost      string
 	AuthConnectorPort      int
 	AuthConnectorAdminPort int

go.mod

@@ -1,82 +1,59 @@
 module oc-auth
 
-go 1.22.0
+go 1.23.0
+
+toolchain go1.23.3
 
 require (
-	cloud.o-forge.io/core/oc-lib v0.0.0-20241121074503-15ca06aba883
+	cloud.o-forge.io/core/oc-lib v0.0.0-20250108155542-0f4adeea86be
 	github.com/beego/beego/v2 v2.3.1
-	github.com/nats-io/nats.go v1.37.0
-	github.com/ory/hydra-client-go v1.11.8
 	github.com/smartystreets/goconvey v1.7.2
 	go.uber.org/zap v1.27.0
-	golang.org/x/oauth2 v0.23.0
+	k8s.io/apimachinery v0.32.1
+	k8s.io/client-go v0.32.1
 )
 
+//replace cloud.o-forge.io/core/oc-lib => ../oc-lib
+
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/dgraph-io/ristretto v0.1.1 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/felixge/httpsnoop v1.0.3 // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
-	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
-	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/gobuffalo/pop/v6 v6.0.8 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/gofrs/uuid v4.3.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/glog v1.2.0 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/golang/mock v1.6.0 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.2 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/mattn/goveralls v0.0.12 // indirect
+	github.com/nats-io/nats.go v1.37.0 // indirect
-	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
-	github.com/openzipkin/zipkin-go v0.4.1 // indirect
-	github.com/ory/go-acc v0.2.9-0.20230103102148-6b1c9a70dbbe // indirect
-	github.com/ory/go-convenience v0.1.0 // indirect
-	github.com/ory/x v0.0.575 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.9 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/seatgeek/logrus-gelf-formatter v0.0.0-20210414080842-5b05eb8ff761 // indirect
+	github.com/robfig/cron/v3 v3.0.1 // indirect
-	github.com/sirupsen/logrus v1.9.0 // indirect
-	github.com/spf13/afero v1.9.5 // indirect
-	github.com/spf13/cast v1.5.1 // indirect
-	github.com/spf13/cobra v1.7.0 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.16.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
-	github.com/subosito/gotenv v1.4.2 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.42.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.42.0 // indirect
-	go.opentelemetry.io/contrib/propagators/b3 v1.17.0 // indirect
-	go.opentelemetry.io/contrib/propagators/jaeger v1.17.0 // indirect
-	go.opentelemetry.io/contrib/samplers/jaegerremote v0.11.0 // indirect
-	go.opentelemetry.io/otel v1.16.0 // indirect
-	go.opentelemetry.io/otel/exporters/jaeger v1.16.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.16.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.16.0 // indirect
-	go.opentelemetry.io/otel/exporters/zipkin v1.16.0 // indirect
-	go.opentelemetry.io/otel/metric v1.16.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.16.0 // indirect
-	go.opentelemetry.io/otel/trace v1.16.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
-	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.10.0 // indirect
-	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/oauth2 v0.23.0 // indirect
-	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	golang.org/x/term v0.25.0 // indirect
-	google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect
+	golang.org/x/time v0.7.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
-	google.golang.org/grpc v1.63.0 // indirect
+	k8s.io/api v0.32.1 // indirect
-	gopkg.in/ini.v1 v1.67.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )
 
 require (
@@ -88,7 +65,6 @@ require (
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.22.1 // indirect
-	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 // indirect
@@ -96,10 +72,7 @@ require (
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
 	github.com/i-core/rlog v1.0.0
 	github.com/jtolds/gls v4.20.0+incompatible // indirect
-	github.com/justinas/nosurf v1.1.1
-	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/klauspost/compress v1.17.11 // indirect
-	github.com/kr/text v0.2.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
@@ -108,13 +81,10 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nats-io/nkeys v0.4.7 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
-	github.com/ory/fosite v0.47.0
 	github.com/prometheus/client_golang v1.20.5 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.60.1 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/purnaresa/bulwark v0.0.0-20201001150757-1cec324746b2
-	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/rs/zerolog v1.33.0 // indirect
 	github.com/shiena/ansicolor v0.0.0-20230509054315-a9deabde6e02 // indirect
 	github.com/smartystreets/assertions v1.2.0 // indirect
@@ -128,7 +98,6 @@ require (
 	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.26.0 // indirect
 	golang.org/x/text v0.19.0 // indirect
-	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

infrastructure/auth_connector/hydra_connector.go

@@ -1,6 +1,8 @@
 package auth_connectors
 
 import (
+	"bytes"
+	"context"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
@@ -10,6 +12,7 @@ import (
 	"net/url"
 	"oc-auth/conf"
 	"oc-auth/infrastructure/claims"
+	"os"
 	"regexp"
 	"strconv"
 	"strings"
@@ -18,6 +21,10 @@ import (
 	oclib "cloud.o-forge.io/core/oc-lib"
 	"cloud.o-forge.io/core/oc-lib/models/peer"
 	"cloud.o-forge.io/core/oc-lib/tools"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
 )
 
 type HydraConnector struct {
@@ -102,12 +109,26 @@ func (a HydraConnector) Refresh(token *Token) (*Token, error) {
 }
 
 func (a HydraConnector) tryLog(username string, url string, subpath string, challenge string, cookies ...*http.Cookie) (*Redirect, string, []*http.Cookie, error) {
-	resp, err := a.Caller.CallRaw(http.MethodGet, url, subpath,
+
-		map[string]interface{}{}, "application/json", true, cookies...)
+	postBody, _ := json.Marshal(map[string]interface{}{})
-	if err != nil || resp.Request.Response == nil || resp.Request.Response.Header["Set-Cookie"] == nil {
+	responseBody := bytes.NewBuffer(postBody)
+	req, _ := http.NewRequest(http.MethodGet, url+subpath, responseBody)
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Add("X-Forwarded-Proto", "https")
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+	client := &http.Client{
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse // No redirect, doesn't make sense; hydra redirect user to login page, we are not the user here due to wrong oauth flow implementation
+		},
+	}
+	resp, err := client.Do(req)
+
+	if err != nil || resp == nil || resp.Header["Set-Cookie"] == nil {
 		return nil, "", cookies, err
 	}
-	cc := resp.Request.Response.Header["Set-Cookie"] // retrieve oauth2 csrf token cookie
+	cc := resp.Header["Set-Cookie"] // retrieve oauth2 csrf token cookie
 	if len(cc) > 0 {
 		for _, c := range cc {
 			first := strings.Split(c, ";")
@@ -117,7 +138,7 @@ func (a HydraConnector) tryLog(username string, url string, subpath string, chal
 			})
 		}
 	}
-	return a.challenge(username, resp.Request.URL.String(), challenge, cookies...)
+	return a.challenge(username, resp.Header.Get("Location"), challenge, cookies...)
 }
 
 func (a HydraConnector) getClient() string {
@@ -146,8 +167,22 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke
 		return nil, err
 	}
 	// problem with consent THERE we need to accept the consent challenge && get the token
-	_, err = a.Caller.CallRaw(http.MethodGet, a.urlFormat(redirect.RedirectTo, a.getPath(false, true)), "", map[string]interface{}{},
+
-		"application/json", true, cookies...)
+	postBody, _ := json.Marshal(map[string]interface{}{})
+	responseBody := bytes.NewBuffer(postBody)
+	req, _ := http.NewRequest(http.MethodGet, a.urlFormat(redirect.RedirectTo, a.getPath(false, true)), responseBody)
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Add("X-Forwarded-Proto", "https")
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+	client := &http.Client{
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse // No redirect, doesn't make sense; hydra redirect user to login page, we are not the user here due to wrong oauth flow implementation
+		},
+	}
+	_, err = client.Do(req)
+
 	if err != nil {
 		s := strings.Split(err.Error(), "\"")
 		if len(s) > 1 && strings.Contains(s[1], "access_token") {
@@ -160,6 +195,15 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke
 		Username: username,
 	}
 	urls := url.Values{}
+
+	// Using k8s secrets gen by hydra, eventually
+	clientID, clientSecret, err := a.getOAuth2Conf(conf.GetConfig().OAuth2ClientSecretNamespace, conf.GetConfig().OAuth2ClientSecretName)
+	if err == nil {
+		urls.Add("client_id", clientID)
+		urls.Add("client_secret", clientSecret)
+	}
+
+	// Fallback on manually set client secret
 	urls.Add("client_id", clientID)
 	urls.Add("client_secret", conf.GetConfig().ClientSecret)
 	urls.Add("grant_type", "client_credentials")
@@ -194,6 +238,54 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke
 	return token, nil
 }
 
+func (a HydraConnector) getOAuth2Conf(namespace string, secretName string) (string, string, error) {
+	clientset, err := a.getClientset()
+	if err != nil {
+		return "", "", fmt.Errorf("error creating Kubernetes client: %v", err)
+	}
+
+	secret, err := clientset.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{})
+	if err != nil {
+		return "", "", fmt.Errorf("error retrieving secret %s/%s: %v", namespace, secretName, err)
+	}
+
+	clientIDEncoded, found := secret.Data["CLIENT_ID"]
+	if !found {
+		return "", "", fmt.Errorf("CLIENT_ID key not found in secret")
+	}
+
+	clientSecretEncoded, found := secret.Data["CLIENT_SECRET"]
+	if !found {
+		return "", "", fmt.Errorf("CLIENT_SECRET key not found in secret")
+	}
+
+	clientID := string(clientIDEncoded)
+	clientSecret := string(clientSecretEncoded)
+
+	return clientID, clientSecret, nil
+}
+
+func (a HydraConnector) getClientset() (*kubernetes.Clientset, error) {
+	var config *rest.Config
+	var err error
+
+	// Check if running inside cluster
+	if _, inCluster := os.LookupEnv("KUBERNETES_SERVICE_HOST"); inCluster {
+		config, err = rest.InClusterConfig() // Use in-cluster config
+	} else {
+		kubeconfig := os.Getenv("KUBECONFIG") // Use local kubeconfig file
+		if kubeconfig == "" {
+			kubeconfig = clientcmd.RecommendedHomeFile
+		}
+		config, err = clientcmd.BuildConfigFromFlags("", kubeconfig)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return kubernetes.NewForConfig(config)
+}
+
 func (a HydraConnector) Logout(token string, cookies ...*http.Cookie) (*Token, error) {
 	access := strings.Split(token, ".")
 	if len(access) > 2 {
@@ -242,9 +334,10 @@ func (a HydraConnector) Introspect(token string, cookie ...*http.Cookie) (bool,
 }
 
 func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string {
-	host := conf.GetConfig().AuthConnectorHost
+	host := conf.GetConfig().AuthConnectPublicHost
 	port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
 	if isAdmin {
+		host = conf.GetConfig().AuthConnectorHost
 		port = fmt.Sprintf("%v", conf.GetConfig().AuthConnectorAdminPort) + "/admin"
 	}
 	oauth := ""

infrastructure/perms_connectors/keto_connector.go

@@ -342,7 +342,7 @@ func (k KetoConnector) createRelationShip(object string, relation string, subjec
 	}
 	host := conf.GetConfig().PermissionConnectorHost
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
-	b, err := caller.CallPut("http://"+host+":"+port, "/relation-tuples", body)
+	b, err := caller.CallPut("http://"+host+":"+port, "/admin/relation-tuples", body)
 	if err != nil {
 		log := oclib.GetLogger()
 		log.Error().Msg(err.Error())

infrastructure/perms_connectors/perms_connector.go

@@ -1,8 +1,6 @@
 package perms_connectors
 
 import (
-	"oc-auth/conf"
-
 	"cloud.o-forge.io/core/oc-lib/tools"
 )
 
@@ -54,5 +52,5 @@ var c = map[string]PermConnector{
 }
 
 func GetPermissionConnector() PermConnector {
-	return c[conf.GetConfig().PermissionConnectorHost]
+	return c["keto"]
 }

main.go

@@ -14,6 +14,7 @@ import (
 	"cloud.o-forge.io/core/oc-lib/models/utils"
 	"cloud.o-forge.io/core/oc-lib/tools"
 	beego "github.com/beego/beego/v2/server/web"
+	"github.com/beego/beego/v2/server/web/filter/cors"
 )
 
 const appname = "oc-auth"
@@ -32,9 +33,11 @@ func main() {
 	conf.GetConfig().PublicKeyPath = o.GetStringDefault("PUBLIC_KEY_PATH", "./pem/public.pem")
 	conf.GetConfig().PrivateKeyPath = o.GetStringDefault("PRIVATE_KEY_PATH", "./pem/private.pem")
 	conf.GetConfig().ClientSecret = o.GetStringDefault("CLIENT_SECRET", "oc-auth-got-secret")
-
+	conf.GetConfig().OAuth2ClientSecretName = o.GetStringDefault("OAUTH2_CLIENT_SECRET_NAME", "oc-oauth2-client-secret")
+	conf.GetConfig().OAuth2ClientSecretNamespace = o.GetStringDefault("NAMESPACE", "default")
 	conf.GetConfig().Auth = o.GetStringDefault("AUTH", "hydra")
 	conf.GetConfig().AuthConnectorHost = o.GetStringDefault("AUTH_CONNECTOR_HOST", "localhost")
+	conf.GetConfig().AuthConnectPublicHost = o.GetStringDefault("AUTH_CONNECTOR_PUBLIC_HOST", "localhost")
 	conf.GetConfig().AuthConnectorPort = o.GetIntDefault("AUTH_CONNECTOR_PORT", 4444)
 	conf.GetConfig().AuthConnectorAdminPort = o.GetIntDefault("AUTH_CONNECTOR_ADMIN_PORT", 4445)
 	conf.GetConfig().PermissionConnectorHost = o.GetStringDefault("PERMISSION_CONNECTOR_HOST", "keto")
@@ -52,6 +55,13 @@ func main() {
 		panic(err)
 	}
 	discovery()
+	beego.InsertFilter("*", beego.BeforeRouter, cors.Allow(&cors.Options{
+		AllowAllOrigins:  true,
+		AllowMethods:     []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
+		AllowHeaders:     []string{"Origin", "Authorization", "Content-Type"},
+		ExposeHeaders:    []string{"Content-Length", "Content-Type"},
+		AllowCredentials: true,
+	}))
 	beego.Run()
 }