Both ORY Hydra's Admin and Public endpoints support CORS. For detailed information, head over to the exemplary config file.
For CORS to work properly, we encourage to set the following values:
Keep in mind that the OAuth 2.0 Authorization Endpoint (
/oauth2/auth) does not
expose CORS by design. This endpoint should never be consumed in a CORS-fashion.
Some endpoints (
include URLs listed in field
allowed_cors_origins of the OAuth 2.0 Client that
is making the request. For example, OAuth 2.0 Client
is allowed to make CORS request to
/oauth2/token from origin
https://foo-bar.com/ even if that origin is not listed in