New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth2 Authorization Endpoint Doesn't Use CORS #1211
Comments
There seem to be several things mixed here:
While your original post showed that you set |
For clarification, only endpoint |
Please let me try to explain what I want to do, it is not really an API usage of I've got two relying parties using the authorization code grant flow with different OAuth2 clients. The consent endpoint is set up to automatically accept the scopes requested and will not show any page. When the user visits relying party 1 the generated HTML tries to include a snippet of HTML from relying party 2 ("transclusion" implemented in a way similar to https://github.com/gustafnk/h-include). Under the covers this uses the If the user is not yet known to relying party 2 the In a normal browser flow (the user clicking on a link to relying party 2 rather than using With I'm sorry if I messed up my "how to reproduce" setup, I've tried to strip it down to the bare minimum needed and overlooked details while doing so. I could fix things - in my real system things work for the "normal" flow so the clients are registered properly and I have added |
I think what you're looking for is OIDC Silent Refresh (or similar) which is typically done using a (hidden) iframe (example). The |
Thank you. I am aware of the OpenID Connect Session spec but it looked like overkill and I think it wouldn't work with our use case as we need to tell a different RP about the user being logged in We could include an iframe from the second party and have it run its authorization code grant flow there but wanted to avoid that. What I was after is more akin to the After all it is a user client making the request to the authorization endpoint - it is the same browser window just using Anyway I can certainly accept if you don't want to change the current state. In that case you may want to close this issue as "wontfix" or whatever seems appropriate ("not a bug", maybe?) and I'll have to think up a workaround for us. Many thanks again for your prompt feedback. |
No problem, to the best of my knowledge, it is possible to configure The other, more obvious and easier, solution is to add Nginx with forced CORS for
Closing as "intentional behaviour". :) |
yep, the reverse proxy approach is what I had in mind as well. Thanks. |
By the way, reason for not adding CORS here is because developers have misconceptions about that endpoint every now and then. Your use case is exotic enough to weigh it as "intentional behaviour" as opposed to fixing a (small) part of the code base, as it will prevent inexperienced devs from accidentally misusing the endpoint (which happens more regularly)! |
Understood. Initially I already suspected this was intentional, that's why I asked in the forum first. |
Describe the bug
Even though CORS is enabled and the request includes an
Origin
header, the response of the authorization endpoint that redirect to the login endpoint does not contain anyAccess-Control-Allow-Origin
header.To Reproduce
Steps to reproduce the behavior:
docker-compose -p hydra up --build
docker exec -it `docker ps -f name=hydra_hydra_1 -q` hydra clients create --endpoint http://hydra:4445 --id auth-code-client --secret secret --grant-types authorization_code,refresh_token --response-types code,id_token --scope openid,offline --callbacks http://127.0.0.1:5555/callback
curl -v -H 'Origin: http://localhost' http://localhost:4444/.well-known/openid-configuration
- you can see Hydra setsAccess-Control-Allow-Origin: *
in the responsecurl -v -H 'Origin: http://localhost' http://localhost:4444/oauth2/auth?audience=&client_id=auth-code-client&max_age=0&nonce=ropdgutegfzaxlxddxqfwgts&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=ardsvbolwgdwsqgvfrmavepw
the response is something like
Expected behavior
The reponse in the last step contains a
Access-Control-Allow-Origin
headerVersion:
Additional context
https://community.ory.sh/t/authorization-endpoint-bypasses-cors-middleware/812
Adding
allowed_cors_origins
to the created client doesn't seem to have any effect.https://github.com/ory/hydra/blob/master/oauth2/handler.go#L173 does not use the
corsMiddleware
at all which I suspect to be the root cause.The text was updated successfully, but these errors were encountered: