CORS problem on /admin/oauth2/auth/requests/login

[jijjijj]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

When trying to access /admin/oauth2/auth/requests/login from browser, the request does not pass and the browser shows the following errors:

The request and response look like this:

What am I doing wrong?

P.S. What's weird is that Ory Hydra doesn't print out any CORS debug information. Also I tried to change allowed origins from 8091 port to 8090 (which is wrong), it didn't make any difference. The request (according to logs) ends with 200 OK.

Reproducing the bug

Try to access /admin/oauth2/auth/requests/login from browser, using the following code:

const Conf = new ConfigurationOry();
const AxiosClient = axios.create({
    headers: {"Content-type": "application/json"},
    withCredentials: true
});
const Hydra = new OAuth2Api(Conf,
    'http://127.0.0.1:4445', AxiosClient);
Hydra.getOAuth2LoginRequest({
        loginChallenge: LoginChallenge
    }).then((data) => {
        console.log(data);
    });

Ory Hydra is started like this: hydra serve all --dev

Relevant log output

INFO[2023-03-04T21:50:02Z] Setting up http server on :4445               audience=application service_name=Ory Hydra service_version=v2.0.3
2023-03-04T21:50:02.436480200Z INFO[2023-03-04T21:50:02Z] Setting up http server on :4444               audience=application service_name=Ory Hydra service_version=v2.0.3
2023-03-04T21:50:02.436843600Z WARN[2023-03-04T21:50:02Z] HTTPS is disabled. Please ensure that your proxy is configured to provide HTTPS, and that it redirects HTTP to HTTPS.  audience=application service_name=Ory Hydra service_version=v2.0.3
2023-03-04T21:50:07.576985700Z INFO[2023-03-04T21:50:07Z] started handling request                      http_request=map[headers:map[accept:application/json, text/plain, */* accept-encoding:gzip, deflate, br accept-language:ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7 cache-control:no-cache connection:keep-alive cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". origin:http://127.0.0.1:8091 pragma:no-cache referer:http://127.0.0.1:8091/ sec-ch-ua:"Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"Windows" sec-fetch-dest:empty sec-fetch-mode:cors sec-fetch-site:same-site user-agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36] host:127.0.0.1:4445 method:GET path:/admin/oauth2/auth/requests/login query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:172.17.0.1:48974 scheme:http]
2023-03-04T21:50:07.591642600Z INFO[2023-03-04T21:50:07Z] completed handling request                    http_request=map[headers:map[accept:application/json, text/plain, */* accept-encoding:gzip, deflate, br accept-language:ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7 cache-control:no-cache connection:keep-alive cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". origin:http://127.0.0.1:8091 pragma:no-cache referer:http://127.0.0.1:8091/ sec-ch-ua:"Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110" sec-ch-ua-mobile:?0 sec-ch-ua-platform:"Windows" sec-fetch-dest:empty sec-fetch-mode:cors sec-fetch-site:same-site user-agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36] host:127.0.0.1:4445 method:GET path:/admin/oauth2/auth/requests/login query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:172.17.0.1:48974 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8] size:1478 status:200 text_status:OK took:14.5493ms]

Relevant configuration

SERVE_COOKIES_SAME_SITE_MODE=Lax
URLS_SELF_ISSUER=http://127.0.0.1:4444
URLS_CONSENT=http://127.0.0.1:8091/auth/consent
URLS_LOGIN=http://127.0.0.1:8091/auth/login
SECRETS_SYSTEM=0123456789abcdef
SERVE_PUBLIC_BASE_URL=http://127.0.0.1:4444
SERVE_PUBLIC_CORS_ENABLED=true
SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=http://127.0.0.1:8091
SERVE_PUBLIC_CORS_ALLOWED_METHODS=POST,GET,PUT,PATCH,DELETE,OPTIONS
SERVE_PUBLIC_CORS_DEBUG=true
SERVE_ADMIN_BASE_URL=http://127.0.0.1:4445
SERVE_ADMIN_CORS_ENABLED=true
SERVE_ADMIN_CORS_ALLOWED_ORIGINS=http://127.0.0.1:8091
SERVE_ADMIN_CORS_ALLOWED_METHODS=POST,GET,PUT,PATCH,DELETE,OPTIONS
SERVE_ADMIN_CORS_DEBUG=true
LOG_LEVEL=debug
LOG_FORMAT=text

Version

oryd/hydra:v2.0.3

On which operating system are you observing this issue?

Windows

In which environment are you deploying?

Docker

Additional Context

The main application is running on http://127.0.0.1:8091

[ChrisLahaye]

You shouldn't perform this request in the frontend. This is an admin endpoint which should be kept private and properly secured. Performing the request in the frontend will leak the credentials.