https://www.ory.sh/ logo
l

loud-keyboard-84117

02/24/2022, 6:26 AM
Hi #hydra, I'm getting CORS error when I try to GET the login challenge. hydra is deployed on aws ec2, OAuth client is localhost and IDP loginUI is on localhost too. Do I need to setup CORS(https://www.ory.sh/hydra/docs/guides/cors/) for these?
1
p

proud-plumber-24205

02/24/2022, 9:58 AM
Hi @User yes. Since you are contacting a service (through your browser) that is not on the same origin as your browser (localhost). you can see the behaviour change by doing the same request in curl (not a browser).
l

loud-keyboard-84117

02/24/2022, 10:02 AM
understood. I just tried adding this and the flow seems to work. Basically allowed 127.0.0.1 and localhost.
Copy code
-e SERVE_ADMIN_CORS_ENABLED=$SERVE_ADMIN_CORS_ENABLED \
  -e SERVE_ADMIN_CORS_ALLOWED_ORIGINS_0=$SERVE_ADMIN_CORS_ALLOWED_ORIGINS_0 \
  -e SERVE_ADMIN_CORS_ALLOWED_ORIGINS_1=$SERVE_ADMIN_CORS_ALLOWED_ORIGINS_1 \
  -e SERVE_ADMIN_CORS_ALLOWED_METHODS_0=$SERVE_ADMIN_CORS_ALLOWED_METHODS_0 \
  -e SERVE_ADMIN_CORS_ALLOWED_METHODS_1=$SERVE_ADMIN_CORS_ALLOWED_METHODS_1 \
  -e SERVE_ADMIN_CORS_ALLOWED_METHODS_2=$SERVE_ADMIN_CORS_ALLOWED_METHODS_2 \
  -e SERVE_ADMIN_CORS_ALLOWED_HEADERS_0=$SERVE_ADMIN_CORS_ALLOWED_HEADERS_0 \
  -e SERVE_ADMIN_CORS_EXPOSED_HEADERS_0=$SERVE_ADMIN_CORS_EXPOSED_HEADERS_0 \
Though it's mentioned that
Keep in mind that the OAuth 2.0 Authorization Endpoint (/oauth2/auth) does not expose CORS by design. This endpoint should never be consumed in a CORS-fashion.
How do I make it work in this case? Went env variable way because was having issues in using a config file.
p

proud-plumber-24205

02/24/2022, 10:21 AM
CORS only applies to http requests your browser makes to another origin. e.g. your browser is on http://localhost:3000 but does a
fetch
request to http://example.com. In this case example.com needs to allow localhost:3000 from making such a request. With browser redirects this is not needed. With
/oauth2/auth
you make a redirect to Hydra, which redirects you to your application login page. Please take a look at https://www.ory.sh/docs/hydra/concepts/oauth2
Notice the URL change when i click
Authorize application
l

loud-keyboard-84117

02/24/2022, 12:50 PM
understood. Thanks so much for the details. Though if I may ask, In case I'll do SSR with Nextjs, it'll work out of the box? Since it won't be a request from browser?
p

proud-plumber-24205

02/24/2022, 1:11 PM
If you make a
fetch
request to Hydra from the client's browser (even in SSR) it will require CORS since the browser is making the
fetch
request
1
l

loud-keyboard-84117

02/25/2022, 2:46 PM
understood, Thanks Alano.
6 Views