From e853cff212685a34bb3971198a6fadc007651a5e Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Wed, 27 Aug 2025 14:58:37 +0200 Subject: [PATCH 01/10] docs: clarify CORS Closes https://github.com/ory/hydra/issues/3795 --- docs/hydra/guides/cors.mdx | 140 +++++++++++++++++++++++++++++-------- 1 file changed, 112 insertions(+), 28 deletions(-) diff --git a/docs/hydra/guides/cors.mdx b/docs/hydra/guides/cors.mdx index b401bca8d..c8c9309c2 100644 --- a/docs/hydra/guides/cors.mdx +++ b/docs/hydra/guides/cors.mdx @@ -1,12 +1,34 @@ --- id: cors -title: Setting up cross-origin resource sharing (CORS) +title: Configure cross-origin resource sharing (CORS) --- -Both Ory Hydra's Admin and Public endpoints support CORS. For detailed information, head over to the exemplary -[config file](https://github.com/ory/hydra/blob/master/.schema/config.schema.json). +Ory services support cross-origin resource sharing (CORS). For the full schema, see the +[configuration file](https://github.com/ory/hydra/blob/master/.schema/config.schema.json). -For CORS to work properly, we encourage to set the following values: +## Configure CORS in Ory Kratos + +Enable CORS for specific origins in your configuration file: + +```yaml +serve: + admin: + cors: + enabled: true + allowed_origins: + - https://example.com + - https://*.example.com # Wildcards are supported + public: + cors: + enabled: true + allowed_origins: + - https://example.com + - https://*.example.com +``` + +## Configure CORS in Ory Hydra + +We recommend the following base configuration: ```yaml serve: @@ -16,37 +38,23 @@ serve: allowed_origins: - https://example.com - https://*.example.com - allowed_methods: - - POST - - GET - - PUT - - PATCH - - DELETE - allowed_headers: - - Authorization - exposed_headers: - - Content-Type public: cors: enabled: true allowed_origins: - https://example.com - https://*.example.com - allowed_methods: - - POST - - GET - - PUT - - PATCH - - DELETE - allowed_headers: - - Authorization - exposed_headers: - - Content-Type ``` -Keep in mind that the OAuth 2.0 Authorization Endpoint (`/oauth2/auth`) doesn't expose CORS by design. This endpoint should never -be consumed in a CORS-fashion. Some endpoints (`/oauth2/token`, `/userinfo`, `/oauth2/revoke`) also include URLs listed in field -`allowed_cors_origins` of the OAuth 2.0 Client that is making the request. For example, OAuth 2.0 Client +### OAuth 2.0 Authoriaztion endpoint + +The **authorization endpoint** (`/oauth2/auth`) never supports CORS. Browsers call this endpoint directly, not through AJAX, so +CORS is unnecessary and unsafe. + +### OAuth 2.0 Token Endpoint + +The **token**, **userinfo**, and **revocation** endpoints (`/oauth2/token`, `/userinfo`, `/oauth2/revoke`) allow requests from +origins defined in the OAuth 2.0 client’s `allowed_cors_origins` field. Example: ```json { @@ -55,5 +63,81 @@ be consumed in a CORS-fashion. Some endpoints (`/oauth2/token`, `/userinfo`, `/o } ``` -is allowed to make CORS request to `/oauth2/token` from origin `https://foo-bar.com/` even if that origin isn't listed in +This client can make CORS requests to `/oauth2/token` from `https://foo-bar.com/`, even if that origin is not listed in `public.cors.allowed_origins`. + +::: note + +For **preflight (OPTIONS) requests**, you must also configure the origin in the global CORS settings. OPTIONS requests don’t +include authorization headers, so Hydra cannot resolve which OAuth 2.0 client is making the request. + +::: + +## Configure CORS in Ory Keto + +```yaml +serve: + read: + cors: + enabled: true + allowed_origins: + - https://example.com + - https://*.example.com + write: + cors: + enabled: true + allowed_origins: + - https://example.com + - https://*.example.com + metrics: + cors: + enabled: true + allowed_origins: + - https://example.com + - https://*.example.com +``` + +## Configure CORS in Ory Oathkeeper + +```yaml +serve: + proxy: + cors: + enabled: true + allowed_origins: + - https://example.com + - https://*.example.com + api: + cors: + enabled: true + allowed_origins: + - https://example.com + - https://*.example.com +``` + +## Advanced configuration + +You can customize allowed methods, headers, and other CORS behavior: + +```yaml +cors: + enabled: true + allowed_origins: + - https://example.com + + allowed_methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + allowed_headers: + - Content-Type + exposed_headers: + - Content-Type + - Date + - Vary + allow_credentials: true + debug: true +``` From 945b8ed7cab05f58e086084c5bdcb5394086a691 Mon Sep 17 00:00:00 2001 From: hackerman <3372410+aeneasr@users.noreply.github.com> Date: Wed, 27 Aug 2025 15:13:06 +0200 Subject: [PATCH 02/10] Update docs/hydra/guides/cors.mdx Co-authored-by: Vincent --- docs/hydra/guides/cors.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/hydra/guides/cors.mdx b/docs/hydra/guides/cors.mdx index c8c9309c2..362245dbb 100644 --- a/docs/hydra/guides/cors.mdx +++ b/docs/hydra/guides/cors.mdx @@ -69,7 +69,7 @@ This client can make CORS requests to `/oauth2/token` from `https://foo-bar.com/ ::: note For **preflight (OPTIONS) requests**, you must also configure the origin in the global CORS settings. OPTIONS requests don’t -include authorization headers, so Hydra cannot resolve which OAuth 2.0 client is making the request. +include authorization headers, so Hydra can't resolve which OAuth 2.0 client is making the request. ::: From dee0f50d143c05c1d823c2ad9da3b883ab4fc61e Mon Sep 17 00:00:00 2001 From: hackerman <3372410+aeneasr@users.noreply.github.com> Date: Wed, 27 Aug 2025 15:15:13 +0200 Subject: [PATCH 03/10] Update docs/hydra/guides/cors.mdx Co-authored-by: Vincent --- docs/hydra/guides/cors.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/hydra/guides/cors.mdx b/docs/hydra/guides/cors.mdx index 362245dbb..bb72e03fe 100644 --- a/docs/hydra/guides/cors.mdx +++ b/docs/hydra/guides/cors.mdx @@ -48,7 +48,7 @@ serve: ### OAuth 2.0 Authoriaztion endpoint -The **authorization endpoint** (`/oauth2/auth`) never supports CORS. Browsers call this endpoint directly, not through AJAX, so +The authorization endpoint (`/oauth2/auth`) never supports CORS. Browsers call this endpoint directly, not through AJAX, so CORS is unnecessary and unsafe. ### OAuth 2.0 Token Endpoint From e3ce096bf5bf667a8c4fa597e5297ca989b4a099 Mon Sep 17 00:00:00 2001 From: hackerman <3372410+aeneasr@users.noreply.github.com> Date: Wed, 27 Aug 2025 15:15:22 +0200 Subject: [PATCH 04/10] Update docs/hydra/guides/cors.mdx Co-authored-by: Vincent --- docs/hydra/guides/cors.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/hydra/guides/cors.mdx b/docs/hydra/guides/cors.mdx index bb72e03fe..ca513b6b0 100644 --- a/docs/hydra/guides/cors.mdx +++ b/docs/hydra/guides/cors.mdx @@ -68,7 +68,7 @@ This client can make CORS requests to `/oauth2/token` from `https://foo-bar.com/ ::: note -For **preflight (OPTIONS) requests**, you must also configure the origin in the global CORS settings. OPTIONS requests don’t +For preflight (OPTIONS) requests, you must also configure the origin in the global CORS settings. OPTIONS requests don’t include authorization headers, so Hydra can't resolve which OAuth 2.0 client is making the request. ::: From 192caaa5a22e2dd9e9f93857630bb913fb058d86 Mon Sep 17 00:00:00 2001 From: hackerman <3372410+aeneasr@users.noreply.github.com> Date: Wed, 27 Aug 2025 15:18:32 +0200 Subject: [PATCH 05/10] Update docs/hydra/guides/cors.mdx Co-authored-by: Vincent --- docs/hydra/guides/cors.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/hydra/guides/cors.mdx b/docs/hydra/guides/cors.mdx index ca513b6b0..7918a20d2 100644 --- a/docs/hydra/guides/cors.mdx +++ b/docs/hydra/guides/cors.mdx @@ -46,7 +46,7 @@ serve: - https://*.example.com ``` -### OAuth 2.0 Authoriaztion endpoint +### OAuth 2.0 authorization endpoint The authorization endpoint (`/oauth2/auth`) never supports CORS. Browsers call this endpoint directly, not through AJAX, so CORS is unnecessary and unsafe. From 26454f32ba2681570f69d97126a3579f073afe07 Mon Sep 17 00:00:00 2001 From: hackerman <3372410+aeneasr@users.noreply.github.com> Date: Wed, 27 Aug 2025 15:18:42 +0200 Subject: [PATCH 06/10] Update docs/hydra/guides/cors.mdx Co-authored-by: Vincent --- docs/hydra/guides/cors.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/hydra/guides/cors.mdx b/docs/hydra/guides/cors.mdx index 7918a20d2..7e7df938d 100644 --- a/docs/hydra/guides/cors.mdx +++ b/docs/hydra/guides/cors.mdx @@ -53,7 +53,7 @@ CORS is unnecessary and unsafe. ### OAuth 2.0 Token Endpoint -The **token**, **userinfo**, and **revocation** endpoints (`/oauth2/token`, `/userinfo`, `/oauth2/revoke`) allow requests from +The token, userinfo, and revocation endpoints (`/oauth2/token`, `/userinfo`, `/oauth2/revoke`) allow requests from origins defined in the OAuth 2.0 client’s `allowed_cors_origins` field. Example: ```json From 682a149c43ab7d2f8cdbea01a84b7d89053419ad Mon Sep 17 00:00:00 2001 From: hackerman <3372410+aeneasr@users.noreply.github.com> Date: Wed, 27 Aug 2025 15:18:51 +0200 Subject: [PATCH 07/10] Update docs/hydra/guides/cors.mdx Co-authored-by: Vincent --- docs/hydra/guides/cors.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/hydra/guides/cors.mdx b/docs/hydra/guides/cors.mdx index 7e7df938d..4fdcf37b3 100644 --- a/docs/hydra/guides/cors.mdx +++ b/docs/hydra/guides/cors.mdx @@ -51,7 +51,7 @@ serve: The authorization endpoint (`/oauth2/auth`) never supports CORS. Browsers call this endpoint directly, not through AJAX, so CORS is unnecessary and unsafe. -### OAuth 2.0 Token Endpoint +### OAuth 2.0 token endpoint The token, userinfo, and revocation endpoints (`/oauth2/token`, `/userinfo`, `/oauth2/revoke`) allow requests from origins defined in the OAuth 2.0 client’s `allowed_cors_origins` field. Example: From e6a59303b75141279dbbfad5597c64e0508122ca Mon Sep 17 00:00:00 2001 From: hackerman <3372410+aeneasr@users.noreply.github.com> Date: Wed, 27 Aug 2025 15:18:59 +0200 Subject: [PATCH 08/10] Update docs/hydra/guides/cors.mdx Co-authored-by: Vincent --- docs/hydra/guides/cors.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/hydra/guides/cors.mdx b/docs/hydra/guides/cors.mdx index 4fdcf37b3..04f66b5ae 100644 --- a/docs/hydra/guides/cors.mdx +++ b/docs/hydra/guides/cors.mdx @@ -63,7 +63,7 @@ origins defined in the OAuth 2.0 client’s `allowed_cors_origins` field. Exampl } ``` -This client can make CORS requests to `/oauth2/token` from `https://foo-bar.com/`, even if that origin is not listed in +This client can make CORS requests to `/oauth2/token` from `https://foo-bar.com/`, even if that origin isn't listed in `public.cors.allowed_origins`. ::: note From 13b889dd310cf02caa124390e99ab05982b4c21e Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Wed, 27 Aug 2025 15:23:37 +0200 Subject: [PATCH 09/10] chore: synchronize workspaces --- docs/hydra/guides/cors.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/hydra/guides/cors.mdx b/docs/hydra/guides/cors.mdx index 04f66b5ae..324a9d6da 100644 --- a/docs/hydra/guides/cors.mdx +++ b/docs/hydra/guides/cors.mdx @@ -48,13 +48,13 @@ serve: ### OAuth 2.0 authorization endpoint -The authorization endpoint (`/oauth2/auth`) never supports CORS. Browsers call this endpoint directly, not through AJAX, so -CORS is unnecessary and unsafe. +The authorization endpoint (`/oauth2/auth`) never supports CORS. Browsers call this endpoint directly, not through AJAX, so CORS +is unnecessary and unsafe. ### OAuth 2.0 token endpoint -The token, userinfo, and revocation endpoints (`/oauth2/token`, `/userinfo`, `/oauth2/revoke`) allow requests from -origins defined in the OAuth 2.0 client’s `allowed_cors_origins` field. Example: +The token, userinfo, and revocation endpoints (`/oauth2/token`, `/userinfo`, `/oauth2/revoke`) allow requests from origins defined +in the OAuth 2.0 client’s `allowed_cors_origins` field. Example: ```json { @@ -68,8 +68,8 @@ This client can make CORS requests to `/oauth2/token` from `https://foo-bar.com/ ::: note -For preflight (OPTIONS) requests, you must also configure the origin in the global CORS settings. OPTIONS requests don’t -include authorization headers, so Hydra can't resolve which OAuth 2.0 client is making the request. +For preflight (OPTIONS) requests, you must also configure the origin in the global CORS settings. OPTIONS requests don’t include +authorization headers, so Hydra can't resolve which OAuth 2.0 client is making the request. ::: From 2ee1a689285cb5a0b6d927d06e73f7abfc6ba3b6 Mon Sep 17 00:00:00 2001 From: hackerman <3372410+aeneasr@users.noreply.github.com> Date: Thu, 28 Aug 2025 16:26:08 +0200 Subject: [PATCH 10/10] Modify CORS settings to use wildcard for origins Updated CORS configuration to allow all origins for public OAuth2 client registration. --- docs/hydra/guides/cors.mdx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/hydra/guides/cors.mdx b/docs/hydra/guides/cors.mdx index 324a9d6da..9cabbb380 100644 --- a/docs/hydra/guides/cors.mdx +++ b/docs/hydra/guides/cors.mdx @@ -42,8 +42,7 @@ serve: cors: enabled: true allowed_origins: - - https://example.com - - https://*.example.com + - * # Use wildcard for using Ory Hydra in 3rd party scenarios (public OAuth2 client registration), otherwise fixed domains. ``` ### OAuth 2.0 authorization endpoint