Setting up Cross-origin resource sharing (CORS)
Both Ory Hydra's Admin and Public endpoints support CORS. For detailed information, head over to the exemplary config file.
For CORS to work properly, we encourage to set the following values:
serve:
admin:
cors:
enabled: true
allowed_origins:
- https://example.com
- https://*.example.com
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
exposed_headers:
- Content-Type
public:
cors:
enabled: true
allowed_origins:
- https://example.com
- https://*.example.com
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
exposed_headers:
- Content-Type
Keep in mind that the OAuth 2.0 Authorization Endpoint (/oauth2/auth
) doesn't
expose CORS by design. This endpoint should never be consumed in a CORS-fashion.
Some endpoints (/oauth2/token
, /userinfo
, /oauth2/revoke
) also include
URLs listed in field allowed_cors_origins
of the OAuth 2.0 Client that is
making the request. For example, OAuth 2.0 Client
{
"client_id": "foo",
"allowed_cors_origins": ["https://foo-bar.com/"]
}
is allowed to make CORS request to /oauth2/token
from origin
https://foo-bar.com/
even if that origin isn't listed in
public.cors.allowed_origins
.