Issues with CORS headers JWT error for API Gateway

Greetings everyone!

First of all - please correct me if this is the wrong group to ask this question. Secondly - my English is not very good so please bear with me.

We’re having some issues with using our Cloud Run application with API Gateway serving calls. Since we implement JWT token timeout we would like to show our customer the error message that their session is expired. But when we try to catch this error from API Gateway we get CORS error. What happens is browser does OPTIONS pre-flight check which is successful for some reason and when it makes GET request we get error code without Access-Control-Allow-Origin header. That triggers CORS error in browser and thus prevents JavaScript to access error message. We would expect those headers to exist within error messages as well.

Is there any way we can add CORS headers in API Gateway error messages as well?

Thanks in advance and best regards

When you ran the command

gcloud api-gateway api-configs 

did you add the --backend-auth-service-account flag? In your openAPI spec did you include x-google-backend and or jwt_audience you can find more OpenAPI extensions | Cloud Endpoints with OpenAPI | Google Cloud

Yes, authentication is enabled and works for all normal calls. Issue is that when JWT token expires preflight check fails making browser think it is CORS denied.

What we would really want to have is Access-Control-Allow-Origin header in OPTIONS call. API gateway error response.