-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hydra 2 does not send CORS headers in response to OPTIONS preflight request #3795
Comments
OK With the SERVE_PUBLIC_CORS_DEBUG=1, I see this in the log:
This is despite the fact that that origin is set for the OIDC client in question, which I am sending in the Authorization header (without a client secret, just as the 'username', which worked on Hydra 1.11.0). If I set https://my-rp-site.com in the global Hydra CORS variable SERVE_PUBLIC_CORS_ALLOWED_ORIGINS, everything works. But this is not ideal, it means Hydra 2.2.0 no longer responds for client-specific CORS header for a preflight request. |
Given that it no longer works when sending an Authorization header with the client_id as the username, it begs the question: what exactly is the point of the allowed_cors_origins parameter for an OIDC client, now? It seems that it is ignored, so only the global setting works? With the global setting, I don't need to send an Authorization header at all, which makes perfect sense. But I am struggling to see a scenario where Hydra 2.2.0 would return the headers for a client that has had specific CORS headers set? |
Re-reading #1754
Is what @aeneasr saying here, effectively: "To make an OPTIONS pre-flight request return the allowed origin URL, you must also (in addition to configuring allowed_cors_origins for the client) configure the URL in the 'global' settings - that means, the 'client-specific' allowed_cors_origins setting is only enforced for an actual GET/POST request after the pre-flight request? That is, a subsequent GET/POST request for that client, but which sends an Origin that is not tied to the client but is in the global settings, would correctly not be allowed (for such authenticated requests, only the URL defined in |
OK, sorry for the noise. I re-read https://www.ory.sh/docs/hydra/guides/cors
What I think the doc should also say, as a final sentence, is:
On the other hand, if this also means that:
^ if that works (all global CORS urls are respected, instead of enforcing only those set in So that's the question: does 'allowed_cors_origins' enforce limiting the allowed URLs to only those URLs, for authenticated requests (regardless of what the global URLs are), or is it in addition to the global URLs? |
Any news on this? |
The culprit seems to be here: As far as I can see this handler overrides the one that is set in If you delete the lines 60-67, the old behavior is restored (accept all OPTIONS requests and only restrict CORS when the actual request comes). |
Preflight checklist
Ory Network Project
No response
Describe the bug
I recently upgraded a Hydra instance from v1.11.10 to v2.2.0.
After upgrading, one of my 3rd party RPs who has an SPA app and a PKCE OIDC client with our Hydra, reported that their auth flow is broken for them due to a change in the CORS behaviour.
This RP/OIDC client has a client-specific CORS URL set in their client (not in the global CORS settings)
Here is what they say:
They say this works fine on our production instance that still runs on v1.11.0 but not our public staging environment.
What do I need to do to fix it? I haven't changed anything to do with their OIDC client.
I tried adding these env vars to my docker instance but it hasn't helped:
This still doesn't return the Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Origin, Access-Control-Allow-Methods headers in the response
Here are all my env vars (URLs masked):
Reproducing the bug
Configure an RP with client-specific CORS URL with clientID xxxxxxxx
Try and make a pre-flight CORS request
Relevant log output
No response
Relevant configuration
No response
Version
2.2.0
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker
Additional Context
No response
The text was updated successfully, but these errors were encountered: