CORS No 'Access-Control-Allow-Origin' header is present

[audioXD]

Describe the bug
When trying to do authorization code grant with PKCE on a SPA(Single Page Application),
I get this error in Chromium when trying to access http://localhost:4444/oauth2/token with ajax

Access to XMLHttpRequest at 'http://localhost:4444/oauth2/token' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

To Reproduce
I have a hydra instance running on http://localhost:4444 and a client(SPA) on port http://localhost:4200.
I have set the environment variables:

• SERVE_PUBLIC_CORS_ENABLED=true and
• SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=

And registered a client with

{
 	"allowed_cors_origins": ["http://localhost:4200"],
	"token_endpoint_auth_method": "none",
	"redirect_uris": ["http://localhost:4200/callback"]
}

I go to:
http://localhost:4444/oauth2/auth?response_type=code&scope=openid&client_id=16719cc1-6087-44b0-9d60-453c3b7eddae&code_challenge_method=S256&code_challenge=djnDoN2i-IqEUoaXDtUMJfa2Zw-i9kPtFDZ5wGOi-2g&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fcallback&state=12345678

I do the login, consent flow

The client(SPA) when it gets the code:

this.http
        .post('http://localhost:4444/oauth2/token', {
          rant_type: 'authorization_code',
          client_id: '16719cc1-6087-44b0-9d60-453c3b7eddae',
          code_verifier: 'ZxjPkkUX5NBZ-kHMDIZYDpuB9y-qpk60O_gWGOs3dGs',
          code,
          redirect_uri: 'http://localhost:4200/callback'
        })
        .subscribe(v => alert(JSON.stringify(v)));

Steps to reproduce the behavior:

1. Run some-command
2. Open ...
3. See error

Expected behavior
For CORS to not block

Screenshots

If applicable, add screenshots to help explain your problem.

Version:

• Chromium: Chromium 74.0.3729.131 Arch Linux
• Environment: Docker
• Version v1.0.0-rc.11

Additional context
Add any other context about the problem here.

[aeneasr]

To understand why cors doesn't work for your specific case, set CORS_DEBUG=1 and check the logs.

[audioXD]

I got

[cors] 2019/05/06 13:51:21 Handler: Preflight request
[cors] 2019/05/06 13:51:21   Preflight aborted: headers '[Content-Type]' not allowed

But https://www.ory.sh/docs/hydra/configuration says

# Sets which headers (comma separated values) are safe to expose to the API of a CORS API specification. Defaults
# to the values listed.
exposed_headers:
  - Content-Type

[audioXD]

And why doesn't "SERVE_PUBLIC_CORS_DEBUG=1" work

Configuration key CORS_DEBUG is deprecated and will be removed in a future release. Use key serve.public.cors.allow_credentials

But https://www.ory.sh/docs/hydra/configuration says

 # Sets whether the request can include user credentials like cookies, HTTP authentication
# or client side SSL certificates. Defaults to true.
allow_credentials: true

[aeneasr]

And why doesn't "SERVE_PUBLIC_CORS_DEBUG=1" work

Yeah that was broken on master and has been resolved with fa10d9d which has not been released as a new version yet.

[aeneasr]

Try setting:

allowed_headers:
  - Authorization
  - Content-Type

[audioXD]

Thank you it works.

[angadsinghsandhu]

To understand why cors doesn't work for your specific case, set CORS_DEBUG=1 and check the logs.

where to set `CORS_DEBUG ??

[ChamberSinani]

Got same error while integrating my REST API with my react frontend.. any solution please??