Question about cors implementation in hydra/x/oauth2cors/cors.go

[IronGeek]

Hi there,

First of all, I think this is related to #2258 and #1754.

Likewise, I'm also having trouble with configuring CORS on client level using the allowed_cors_origins. According to the docs:

Some endpoints (/oauth2/token, /userinfo, /oauth2/revoke) also include URLs listed in field allowed_cors_origins of the OAuth 2.0 Client that is making the request

But for some reason, my request to /userinfo always ended up in CORS error, even though the origin is correctly registered in allowed_cors_origins. FWIW, the global allowed_origins is set (not empty or *).

I've tried looking at the implementation specifically the code at https://github.com/ory/hydra/blob/master/x/oauth2cors/cors.go#L82-L130

From what I can gather, please CMIIW, the AllowOriginRequestFunc callback from line 82 of cors.go is called from github.com/rs/cors whenever a CORS request happens (both in preflight and actual request), right?.
And, in line 94–126 of cors.go hydra is trying to read the HTTP request Authorization headers in order to get correct the per-client level allowed_cors_origins configuration, right?

Again CMIIW, but doesn't the CORS spec specify that:

Note that even so, a CORS-preflight request never includes credentials.

So doesn't this makes the code checking for Authorization header while on preflight request will always failed; thus making any subsequent request (the actual request) to also failed (or aborted by browser) even though user might have sent the actual-original-request from within the (client-level) allowed origins AND with the correct credentials or Authorization headers attached.

Am I on the right track here? or am I missing something?
I would appreciate if anyone could clarify this...

Thank you.

[aeneasr]

That is extremely helpful! Continuing discussion in: #1754 (comment)