Skip to main content

Configure cross-origin resource sharing (CORS)

Ory services support cross-origin resource sharing (CORS). For the full schema, see the configuration file.

Configure CORS in Ory Kratos

Enable CORS for specific origins in your configuration file:

serve:
  admin:
    cors:
      enabled: true
      allowed_origins:
        - https://example.com
        - https://*.example.com # Wildcards are supported
  public:
    cors:
      enabled: true
      allowed_origins:
        - https://example.com
        - https://*.example.com

Configure CORS in Ory Hydra

We recommend the following base configuration:

serve:
  admin:
    cors:
      enabled: true
      allowed_origins:
        - https://example.com
        - https://*.example.com
  public:
    cors:
      enabled: true
      allowed_origins:
        - * # Use wildcard for using Ory Hydra in 3rd party scenarios (public OAuth2 client registration), otherwise fixed domains.

OAuth 2.0 authorization endpoint

The authorization endpoint (/oauth2/auth) never supports CORS. Browsers call this endpoint directly, not through AJAX, so CORS is unnecessary and unsafe.

OAuth 2.0 token endpoint

The token, userinfo, and revocation endpoints (/oauth2/token, /userinfo, /oauth2/revoke) allow requests from origins defined in the OAuth 2.0 client’s allowed_cors_origins field. Example:

{
  "client_id": "foo",
  "allowed_cors_origins": ["https://foo-bar.com/"]
}

This client can make CORS requests to /oauth2/token from https://foo-bar.com/, even if that origin isn't listed in public.cors.allowed_origins.

::: note

For preflight (OPTIONS) requests, you must also configure the origin in the global CORS settings. OPTIONS requests don’t include authorization headers, so Hydra can't resolve which OAuth 2.0 client is making the request.

:::

Configure CORS in Ory Keto

serve:
  read:
    cors:
      enabled: true
      allowed_origins:
        - https://example.com
        - https://*.example.com
  write:
    cors:
      enabled: true
      allowed_origins:
        - https://example.com
        - https://*.example.com
  metrics:
    cors:
      enabled: true
      allowed_origins:
        - https://example.com
        - https://*.example.com

Configure CORS in Ory Oathkeeper

serve:
  proxy:
    cors:
      enabled: true
      allowed_origins:
        - https://example.com
        - https://*.example.com
  api:
    cors:
      enabled: true
      allowed_origins:
        - https://example.com
        - https://*.example.com

Advanced configuration

You can customize allowed methods, headers, and other CORS behavior:

cors:
  enabled: true
  allowed_origins:
    - https://example.com

  allowed_methods:
    - GET
    - POST
    - PUT
    - PATCH
    - DELETE
    - OPTIONS
  allowed_headers:
    - Content-Type
  exposed_headers:
    - Content-Type
    - Date
    - Vary
  allow_credentials: true
  debug: true