Hey, I've been trying to set up the Ory stack but I'm having some issues with CORS. I'm using the Ory Helm charts and I'm hosting on a Kubernetes cluster load balanced by Traefik. (domain.com used as an example) My custom UI is hosted on https://account.domain.com/ My Kratos instance is hosted on https://id.domain.com/ My Hydra instance is hosted on https://oauth.domain.com/ Here is part of my Kratos values.yml file:

serve:
    public:
      base_url: <https://id.domain.com>
      cors:
        enabled: true
        allowed_origins:
          - <https://id.domain.com>
          - https://*.domain.com
          - <https://oauth.domain.com>
          - https://*.oauth.domain.com
          - <https://account.domain.com>
          - https://*.account.domain.com
          - <http://localhost:3000>
          - <http://127.0.0.1:3000>
          - <http://localhost:4000>
          - <http://127.0.0.1:4000>
        allowed_methods:
          - POST
          - GET
          - PUT
          - PATCH
          - DELETE
        allowed_headers:
          - Authorization
          - Cookie
          - Content-Type
        exposed_headers:
          - Content-Type
          - Set-Cookie
    admin:
      cors:
        enabled: true
        allowed_origins:
          - <https://id.domain.com>
          - https://*.domain.com
          - <https://oauth.domain.com>
          - https://*.oauth.domain.com
          - <https://account.domain.com>
          - https://*.account.domain.com
          - <http://localhost:3000>
          - <http://127.0.0.1:3000>
          - <http://localhost:4000>
          - <http://127.0.0.1:4000>
        allowed_methods:
          - POST
          - GET
          - PUT
          - PATCH
          - DELETE
        allowed_headers:
          - Authorization
          - Cookie
          - Content-Type
        exposed_headers:
          - Content-Type
          - Set-Cookie
ingress:
  public:
    enabled: true
    hosts:
      - host: id.domain.com
        paths:
          - path: /
            pathType: Prefix
    annotations:
      traefik.ingress.kubernetes.io/router.entrypoints: websecure,web
      cert-manager.io/cluster-issuer: letsencrypt-prod
    tls:
      - hosts: ["id.domain.com"]
        secretName: kratos-tls
  admin:
    enabled: false

I've also noticed when receiving verification emails Kratos appears to not recognise the domain it's hosted behind as the URL is an internal domain: https://kratos-7848f8cd55-b7gjl:4433/self-service/verification Just want to make sure I'm not doing anything stupid here. Please let me know if I need to share any more of my values.yaml Any help would be greatly appreciated 🙂 The exact console errors are here too:

Access to fetch at '<https://id.domain.com//self-service/login/browser?return_to=https%3A%2F%2Faccount.domain.com>' from origin '<https://account.domain.com>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Access to XMLHttpRequest at '<https://id.domain.com//self-service/login/browser?return_to=https%3A%2F%2Faccount.domain.com>' from origin '<https://account.domain.com>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

EDIT: Found the issue... It was Traefik stripping CORS headers 🤦 If anyone has the same issue as me, here's how I solved it. 1. Create Traefik middleware (replace domain.com with your own domain):

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: cors-middleware
  namespace: ory
spec:
  headers:
    accessControlAllowOriginList:
      - "<https://id.domain.com>"
      - "https://*.domain.com"
    accessControlAllowMethods:
      - "POST"
      - "GET"
      - "PUT"
      - "PATCH"
      - "DELETE"
    accessControlAllowHeaders:
      - "Authorization"
      - "Cookie"
      - "Content-Type"
    accessControlExposeHeaders:
      - "Content-Type"
      - "Set-Cookie"
    accessControlAllowCredentials: true
    addVaryHeader: true

2. Add this annotation to your ingress:

traefik.ingress.kubernetes.io/router.middlewares: <namespace>-cors-middleware@kubernetescrd