Hi < C012RBW0F18|hydra> I m getting CORS error when I try to Ory Community #talk-hydra

Hi <#C012RBW0F18|hydra>, I'm getting CORS error wh...

loud-keyboard-84117

02/24/2022, 6:26 AM

Hi #hydra, I'm getting CORS error when I try to GET the login challenge. hydra is deployed on aws ec2, OAuth client is localhost and IDP loginUI is on localhost too. Do I need to setup CORS(https://www.ory.sh/hydra/docs/guides/cors/) for these?

✅ 1

proud-plumber-24205

02/24/2022, 9:58 AM

Hi @User yes. Since you are contacting a service (through your browser) that is not on the same origin as your browser (localhost). you can see the behaviour change by doing the same request in curl (not a browser).

loud-keyboard-84117

02/24/2022, 10:02 AM

understood. I just tried adding this and the flow seems to work. Basically allowed 127.0.0.1 and localhost.

Copy code

-e SERVE_ADMIN_CORS_ENABLED=$SERVE_ADMIN_CORS_ENABLED \
  -e SERVE_ADMIN_CORS_ALLOWED_ORIGINS_0=$SERVE_ADMIN_CORS_ALLOWED_ORIGINS_0 \
  -e SERVE_ADMIN_CORS_ALLOWED_ORIGINS_1=$SERVE_ADMIN_CORS_ALLOWED_ORIGINS_1 \
  -e SERVE_ADMIN_CORS_ALLOWED_METHODS_0=$SERVE_ADMIN_CORS_ALLOWED_METHODS_0 \
  -e SERVE_ADMIN_CORS_ALLOWED_METHODS_1=$SERVE_ADMIN_CORS_ALLOWED_METHODS_1 \
  -e SERVE_ADMIN_CORS_ALLOWED_METHODS_2=$SERVE_ADMIN_CORS_ALLOWED_METHODS_2 \
  -e SERVE_ADMIN_CORS_ALLOWED_HEADERS_0=$SERVE_ADMIN_CORS_ALLOWED_HEADERS_0 \
  -e SERVE_ADMIN_CORS_EXPOSED_HEADERS_0=$SERVE_ADMIN_CORS_EXPOSED_HEADERS_0 \

Though it's mentioned that

Keep in mind that the OAuth 2.0 Authorization Endpoint (/oauth2/auth) does not expose CORS by design. This endpoint should never be consumed in a CORS-fashion.

How do I make it work in this case? Went env variable way because was having issues in using a config file.

proud-plumber-24205

02/24/2022, 10:21 AM

CORS only applies to http requests your browser makes to another origin. e.g. your browser is on http://localhost:3000 but does a

fetch

request to http://example.com. In this case example.com needs to allow localhost:3000 from making such a request. With browser redirects this is not needed. With

/oauth2/auth

you make a redirect to Hydra, which redirects you to your application login page. Please take a look at https://www.ory.sh/docs/hydra/concepts/oauth2

proud-plumber-24205

02/24/2022, 10:21 AM

and https://www.ory.sh/docs/hydra/5min-tutorial

proud-plumber-24205

02/24/2022, 10:22 AM

Notice the URL change when i click

Authorize application

loud-keyboard-84117

02/24/2022, 12:50 PM

understood. Thanks so much for the details. Though if I may ask, In case I'll do SSR with Nextjs, it'll work out of the box? Since it won't be a request from browser?

proud-plumber-24205

02/24/2022, 1:11 PM

If you make a

fetch

request to Hydra from the client's browser (even in SSR) it will require CORS since the browser is making the

fetch

request

✅ 1

loud-keyboard-84117

02/25/2022, 2:46 PM

understood, Thanks Alano.

6 Views

Open in Slack

Previous Next