CORS issue with Traefik and Authenik

[adrianmace]

Describe the bug
I am running both the frontend and backend via Traefik reverse proxy which has a middleware authentik configured. When running in this configuration, I get the following CORS error on the console and the frontend loads, but cannot communicate with the backend:

Access to internal resource at 'https://auth.example.com/application/o/authorize/?client_id=1crzd0dn3ROBzwSpYEFeIBYmRtqrtEl5Zkvyc0BI&redirect_uri=https%3A%2F%2Fauth.example.com%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=email+openid+profile+ak_proxy&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnb2F1dGhlbnRpay5pby9vdXRwb3N0LzFjcnpkMGRuM1JPQnp3U3BZRUZlSUJZbVJ0cXJ0RWw1Wmt2eWMwQkkiLCJzaWQiOiI1RkU3NVZNUklJR1NTN0c3UkdRR1pJNUdSWEsyVkwzQUABCDEFABCDEFExCUFZYNk9BIiwic3RhdGUiOiJxZHlOdG80UEF4ajhxOUhuY1FVdEpaQlA5MWt6UEk3Slp5dTJZUWprbVBNIiwicmVkaXJlY3QiOiJodHRwczovL2lwdHYuZ3AubWFjZS5hdS9tYW5pZmVzdC53ZWJtYW5pZmVzdCJ9.z1EjxOtj5L1dy-BexgWlfosBqgMf_u573vOvd5ZAPHI' (redirected from 'https://iptv-frontend.example.com/manifest.webmanifest') from origin 'https://iptv-frontend.example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I have tried to inject the Access-Control-Allow-Origin: '*' header on the frontend responses, backend responses, and authentik responses all without success to resolving this. Would love to get a second set of eyes.

[adrianmace]

Update, injecting the Access-Control-Allow-Origin: '*' header in to the Authentik domain does resolve the CORS issue, but the manifest.webmanifest file now returns empty with the following error:

No content available because this request was redirected

[jimz011]

I also face this problem, the Access-Control-Allow-Origin header can indeed be bypassed this way, but the manifest error will stay.
I am guessing that this is because iptv streams are served over http and thus the script simply can not run.

It runs fine when accessed locally, but I have the gut feeling that it takes more than just some headers to get this working over https and reverse proxy/middleware.