hydra: Client allowed_cors_origins not working

Describe the bug

Enabling CORS support on the public endpoints seems to be working as expected by enabling the settings in the configuration, however when setting the allowed_cors_origins setting in the client, the additional origin URLs are not being allowed.

Reproducing the bug

Steps to reproduce the behavior:

  1. Create a hydra environment version 1.3.2 with the below configuration
  2. create an authorization_code client my_client with allowed_cors_origin set to an alternate (additional) Origin URL
  3. POST to the /oauth2/token endpoint with the Origin: header (ie ‘Origin: https://client-app.example.com’), and client_id: my_client in the body of the request.
  4. Request should return the following response headers access-control-allow-credentials: true access-control-allow-origin: https://client-app.example.com

Server logs

Server configuration

Expected behavior

expect https://client-app.example.com to be an allowed origin

Environment

  • Version: v1.3.2
  • Environment: Docker

Additional context

Add any other context about the problem here.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 1
  • Comments: 26 (13 by maintainers)

Commits related to this issue

Most upvoted comments

Nice find, it actually appears that the server-based origin only works if the server config is either

serve:
  public:
    cors:
      enabled: true
      allowed_origins: 
        - *
        # - you may include additional origins here but since there's already a wildcard it doesn't make sense

or

serve:
  public:
    cors:
      enabled: true

but not if a concrete value is set. That’s definitely a bug!

Instead of doing a check here

https://github.com/ory/hydra/blob/master/driver/cors.go#L60-L70

we should merge these origins with values coming the client and then run the glob matching on top of that.

We can still keep the alwaysAllow check to reduce request latency in cases where all origins are allowed.

+2
aeneasr on Mar 17, 2020

Ok at last I found the solution!

In order to pass the client_id in basic-auth when token_endpoint_auth_method = none, you need to leave the colon after the client_id.

For example:

  xhr.setRequestHeader(
    "Authorization",
    "Basic " + btoa(clientId + ":")
  );

If you include a dummy password or omit the colon, it will not work.

Thank you very much @IronGeek !

+1
lortabac on Sep 20, 2023

Unfortunately, this still isn’t working as I would expect. (tested with version 1.5.2) Configuring allowed_cors_origins on the oauth client effectively does nothing, whatever I configure in serve.public.cors.allowed_origins is the only thing that’s honored.

If I set serve.public.cors.enabled=false or just don’t set it, then I get no access-control headers returned at all regardless of what I set in the client for allowed_cors_origins.

If I set serve.public.cors.allowed_origins to “" that works, but only because it’s returning the Access-Control-Allow-Origin header of "” which effectively makes client configured cors obsolete.

+1
Alt0252 on Aug 3, 2020
Read more comments on GitHub
← hydra: Admin endpoint to delete the sessions and trigger backchannel logout for a subject
hydra: Container is not Running →