I'm pretty new to the Ory ecosystem but I'm trying to set up Hydra as my OIDC provider and I'm running into the following issue: I have an endpoint that attempts the following:

const login = await oidc
    .getOAuth2LoginRequest({ loginChallenge })
    .then(() =>
      oidc
        .acceptOAuth2LoginRequest({
          loginChallenge,
          acceptOAuth2LoginRequest: {
            subject: 'Roy',
            remember: Boolean(false),
            remember_for: 3600,
            acr: '0',
          },
        })
        .then(({ data }) => data))

If I do the following:

res.status(200).json({message: login.redirect_to})

And follow that returned redirect link from the client, the consent endpoint gets called and everything works However, if I do the following:

res.redirect(data.redirect_to)

I receive the following error:

The request is not allowed. No CSRF value available in the session cookie.

According to this: https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow I should redirect from the api directly. I'm not sure why this is the case. My stack is Ory Hydra (local docker env), Nextjs and Next Auth. Is there anyone able to help?

Checkout browser inspect mode to find out why the cookies were not sent.

The login cookie is being set. I see the following message in the console:

signin/:1 Access to fetch at '<http://localhost:4200/api/auth/callback/siwt?error=request_forbidden&error_description=The+request+is+not+allowed.+No+CSRF+value+available+in+the+session+cookie.&state=6cnPlvbosn7bGc_TT4pvU_DQAjfFjQ9I7e1D87Ux8No>' (redirected from '<http://localhost:4200/api/siwt>') from origin '<http://localhost:4200>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

I am using api. receiving same error.