CORS issues with /userinfo endpoint

ORY Hydra
#1

Hydra does not send back an access-control-allow-origin header with an options request to /userinfo. This is after explicitly setting the CORS_ALLOWED_ORIGINS env variable. The header to allow cross-origin doesn’t get sent even with the default * origin settings.

#2

Please, always, include the version you’re experiencing the issue with.

#3

hydra version 0.11.12

#4

Please provide more info, like the environment variables that you’re using and also a request example (screenshot works)

#5

Hydra is running with --dangerous-force-http and --skip-tls-verify as a local docker container
Only environment variables are DATABASE_URL, SYSTEM_SECRET.

Screenshot%20from%202018-05-09%2021-34-55
Screenshot from 2018-05-09 21-34-55.png1303×1474 213 KB

When i add export CORS_ALLOWED_ORIGINS=http://localhost:3000 and restart hydra, the header to allow localhost doesn’t still get passed in the response.

#6

Screenshot%20from%202018-05-09%2021-37-48
Screenshot from 2018-05-09 21-37-48.png1988×1689 213 KB

#7

Screenshot%20from%202018-05-09%2021-35-04
Screenshot from 2018-05-09 21-35-04.png1306×972 209 KB

#9

Seems like you’re not properly setting CORS_ALLOWED_ORIGINS=http://localhost:3000. Are you indeed setting that variable in the Docker container? Remember, setting env vars in Docker works like this:

docker -e CORS_ALLOWED_ORIGINS=http://localhost:3000 -e DATABASE_URL=... ...

it does not work like this:

export CORS_ALLOWED_ORIGINS=http://localhost:3000
docker run ...
#10

That is not how i am using it

docker run -d \
  --name ory-hydra-example--hydra \
  --network hydraguide \
  -p 9000:4444 \
  -e SYSTEM_SECRET=$SYSTEM_SECRET \
  -e DATABASE_URL=$DATABASE_URL \
  -e ISSUER=http://localhost:9000/ \
  -e CONSENT_URL=http://localhost:9020/consent \
  -e CORS_ALLOWED_ORIGINS=$CORS_ALLOWED_ORIGINS \
  -e FORCE_ROOT_CLIENT_CREDENTIALS=admin:demo-password \
  oryd/hydra:$HYDRA_VERSION host --skip-tls-verify --dangerous-force-http

export SYSTEM_SECRET=this_needs_to_be_the_same_always_and_also_very_$3cuR3-._
export DATABASE_URL=postgres://hydra:secret@ory-hydra-example--postgres:5432/hydra?sslmode=disable
export HYDRA_VERSION=v0.11.12
# export CORS_ALLOWED_ORIGINS=http://localhost:3000 << ignore this for now

below is the command i’m using

docker run -d \
  --name ory-hydra-example--hydra \
  --network hydraguide \
  -p 9000:4444 \
  -e SYSTEM_SECRET=$SYSTEM_SECRET \
  -e DATABASE_URL=$DATABASE_URL \
  -e ISSUER=http://localhost:9000/ \
  -e CONSENT_URL=http://localhost:9020/consent \
  -e FORCE_ROOT_CLIENT_CREDENTIALS=admin:demo-password \
  oryd/hydra:$HYDRA_VERSION host --skip-tls-verify --dangerous-force-http

But that aside, it should work since the default is to allow * origins. https://github.com/ory/hydra/blob/f7f010adaa4e9d22d3e4a883886906b83639516a/cmd/host.go#L168

#11

Please make hydra respond with the correct Headers when a preflight (OPTIONS) request is made to /userinfo endpoint
Make hydra pull the settings configured via -e CORS_ALLOWED_ORIGINS=comma,separated,values and add all of them when an options request is made or respond with * when none are available.

Here is an image of a CORS request, CORS conformant browsers won’t complain about. Note the Response headers.
https://camo.githubusercontent.com/02a0f4a96ed7881b4c5d832d0f9440a9306af3ca/687474703a2f2f692e696d6775722e636f6d2f515648316c63372e706e67

#12

But that aside, it should work since the default is to allow * origins.

This is documented incorrectly. If you do not include the environment variable then CORS will be disabled. This will work, just try it:

docker run -d \
  --name ory-hydra-example--hydra \
  --network hydraguide \
  -p 9000:4444 \
  -e SYSTEM_SECRET=$SYSTEM_SECRET \
  -e DATABASE_URL=$DATABASE_URL \
  -e ISSUER=http://localhost:9000/ \
  -e CONSENT_URL=http://localhost:9020/consent \
  -e FORCE_ROOT_CLIENT_CREDENTIALS=admin:demo-password \
  -e CORS_ALLOWED_ORIGINS=* \
  oryd/hydra:$HYDRA_VERSION host --skip-tls-verify --dangerous-force-http

And obviously, you also need to set the other CORS values.

#13

If you can’t seem to get it working (for example because you forgot to whitelist a needed header, a method, or whatever), just set CORS_DEBUG=true and it should give you information why the preflight/cors request fails.

I know that the CORS feature works, because the ORY Security Console works which needs this feature, so it has to be your configuration.

#14

Thank you so much for your time helping me get to the bottom of this. And for Hydra and for making it open source. Thank you.
Here is where I am now: I am running hydra the latest master (v0.11.12) branch locally with CORS_DEBUG=true and CORS_ALLOWED_ORIGINS=*

Screenshot%20from%202018-05-10%2020-17-30
Screenshot from 2018-05-10 20-17-30.png3807×1917 861 KB

Don’t know how to interpret this. Multiple Preflight requests are failing with both GET and POST. Not sure why.

#15

Here are the logs from trying it in a browser(chrome) and Javascript(axios)

Screenshot%20from%202018-05-10%2020-28-12
Screenshot from 2018-05-10 20-28-12.png3837×803 284 KB

#16

The request how chrome says it sent it.

Screenshot%20from%202018-05-10%2020-29-13
Screenshot from 2018-05-10 20-29-13.png1306×1497 233 KB

#17

You need to allow the HTTP methods CORS_ALLOWED_METHODS and probably also CORS_ALLOWED_HEADERS. Or, if you can’t get it working, use a proxy like Kong in front.

#18

You can try this:

      - CORS_ALLOWED_ORIGINS=*
      - CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,PATCH
      - CORS_ALLOWED_CREDENTIALS=true
      - CORS_ALLOWED_HEADERS=Authorization,Accept,Accept-Language,Content-Language,Content-Type

that’s the settings we use for the security console to work

1 Like
#19

Thanks. I got it working with config like given. :+1: