CORS for public is disabled?

[toddams]

Describe the bug
Seems like setting environment variable "SERVE_PUBLIC_CORS_ENABLED" makes no effect. I can not find any message in log that CORS is enabled, even though for Admin part it works with "SERVE_ADMIN_CORS_ENABLED".
Also, I see this line:

hydra/cmd/server/handler.go

Line 120 in 067e498

EnhanceMiddleware(d, publicmw, d.Configuration().PublicListenOn(), public.Router, false, "public"),

- seems like configuration setting is not taken into account at all (false is passed)

To Reproduce
Run hydra with following environment variables

environment:
      - SERVE_PUBLIC_CORS_ENABLED=true
      - LOG_LEVEL=debug
      - SERVE_PUBLIC_CORS_DEBUG=true
      - SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=*
      - SERVE_ADMIN_CORS_ENABLED=true
      - SERVE_ADMIN_CORS_DEBUG=true
      - SERVE_ADMIN_CORS_ALLOWED_ORIGINS=*
      - CORS_ALLOWED_ORIGINS=*
      - SECRETS_SYSTEM=youReallyNeedToChangeThis
      - DSN=postgres://$POSTGR_USER:$POSTGR_PASSWORD@database:5432/$POSTGR_DB?sslmode=disable
      - URLS_LOGIN=http://localhost:5000/openid/login
      - URLS_CONSENT=http://localhost:5000/openid/consent

Expected behavior
CORS is enabled

Version:

• Environment: docker
• Version: v1.0.0-rc.9_oryOS.10

[aeneasr]

What endpoint are you trying to access?

[toddams]

It's /userinfo

[aeneasr]

What does the log show?

[aeneasr]

CORS is enabled differently at those endpoints as OAuth 2.0 Clients can advertise their own origin. It's most likely something missing, I would include CORS_ALLOWED_HEADERS (with Authorization because you're sending the access token), potentially CORS_ALLOW_CREDENTIALS as well as the methods (POST, GET).

[aeneasr]

You can check if ./well-known/jwks.json responds with CORS headers, if it does it's probably due to you sending an Authorization Header.

[simenandre]

👋
I'm having issues with this as well. I'm still testing, but I've tested against ./well-known/jwks.json. CORS did not work there either.

[aeneasr]

I just tried it and CORS is working fine, pretty sure it's the header setting.

$ hydra serve all --dangerous-force-http

[simenandre]

I've tested more – and got it working. You just have to make sure to add Authorization to CORS_ALLOWED_HEADERS.

[aeneasr]

Perfect, I'll document that in the docs.

[aeneasr]

I've added this to the docs

[aeneasr]

We'll actually set the defaults to something sane, as per #1400 .

This will hopefully avoid unnecessary work in the future.