Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

hi i've set up a first development environment to start with ory  oathkeeper and kratos. I've set up 2 domains.   auth.cdf.dev and app.cdf.dev . (SPA) now the SPA is running behind oathkeerer and logging in etc works. Now the SPA I think should do a GET on the public /sessions/whoami endpoint to get some user information. BUT.   I keep running into  CORS errors and the endpoint whoami *not* giving back a ' Access-Control-Allow-Origin' header. The response is ok. Just the browser blocks it. I've adeed a cors: enabled section  but cors headers keep missing.

`serve:`
  `public:`
    `base_url: <http://auth.cdf.dev:4433/>`
    `cors:`
      `enabled: true`
      `allowed_origins:`
        `- <http://cdf.dev>`
        `- http://*.cdf.dev`
        `- <http://auth.cdf.dev>`
        `- <http://dook.cdf.dev>`

so i've added these to my hosts
then I need to be able to have a frontend on <http://cdf.dev>, but I get connection refused. anything specific i should do?