Describe the bug
When trying to do authorization code grant with PKCE on a SPA(Single Page Application),
I get this error in Chromium when trying to access http://localhost:4444/oauth2/token with ajax
Access to XMLHttpRequest at 'http://localhost:4444/oauth2/token' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
To Reproduce
I have a hydra instance running on http://localhost:4444 and a client(SPA) on port http://localhost:4200.
I have set the environment variables:
SERVE_PUBLIC_CORS_ENABLED=true and SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=And registered a client with
{
"allowed_cors_origins": ["http://localhost:4200"],
"token_endpoint_auth_method": "none",
"redirect_uris": ["http://localhost:4200/callback"]
}
I go to:
http://localhost:4444/oauth2/auth?response_type=code&scope=openid&client_id=16719cc1-6087-44b0-9d60-453c3b7eddae&code_challenge_method=S256&code_challenge=djnDoN2i-IqEUoaXDtUMJfa2Zw-i9kPtFDZ5wGOi-2g&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fcallback&state=12345678
I do the login, consent flow
The client(SPA) when it gets the code:
this.http
.post('http://localhost:4444/oauth2/token', {
rant_type: 'authorization_code',
client_id: '16719cc1-6087-44b0-9d60-453c3b7eddae',
code_verifier: 'ZxjPkkUX5NBZ-kHMDIZYDpuB9y-qpk60O_gWGOs3dGs',
code,
redirect_uri: 'http://localhost:4200/callback'
})
.subscribe(v => alert(JSON.stringify(v)));
Steps to reproduce the behavior:
some-commandExpected behavior
For CORS to not block
Screenshots

If applicable, add screenshots to help explain your problem.
Version:
Additional context
Add any other context about the problem here.
To understand why cors doesn't work for your specific case, set CORS_DEBUG=1 and check the logs.
I got
[cors] 2019/05/06 13:51:21 Handler: Preflight request
[cors] 2019/05/06 13:51:21 Preflight aborted: headers '[Content-Type]' not allowed
But https://www.ory.sh/docs/hydra/configuration says
# Sets which headers (comma separated values) are safe to expose to the API of a CORS API specification. Defaults
# to the values listed.
exposed_headers:
- Content-Type
And why doesn't "SERVE_PUBLIC_CORS_DEBUG=1" work
Configuration key CORS_DEBUG is deprecated and will be removed in a future release. Use key serve.public.cors.allow_credentials
But https://www.ory.sh/docs/hydra/configuration says
# Sets whether the request can include user credentials like cookies, HTTP authentication
# or client side SSL certificates. Defaults to true.
allow_credentials: true
And why doesn't "SERVE_PUBLIC_CORS_DEBUG=1" work
Yeah that was broken on master and has been resolved with https://github.com/ory/hydra/commit/fa10d9d36341785f1f2c889a9c841b0b8dd0ef96 which has not been released as a new version yet.
Try setting:
allowed_headers:
- Authorization
- Content-Type
Thank you it works.
To understand why cors doesn't work for your specific case, set
CORS_DEBUG=1and check the logs.
where to set `CORS_DEBUG ??
Got same error while integrating my REST API with my react frontend.. any solution please??
Most helpful comment
where to set `CORS_DEBUG ??