CORS for hybrid mobile apps

[PeteMac88]

Hey there,
we are developing a hybrid mobile app and want to use our central auth server. I am currently getting a CORS error saying no 'Access-Control-Allow-Origin' is set which makes sense since its not enabled. We will also have some web apps that run under a specific domain using the auth server.

My idea here is following setting:

public:
    cors:
      enabled: true
      allowed_origins:
        - https://domain.com
        - https://*.domain.com
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
      exposed_headers:
        - Content-Type

This will enable all the web apps under the same domain to use the public hydra endpoints. For the mobile clients we could add the allowed_cors_origins to allow requests from the devices which sending the requests from orginin capacitor://localhost (Android) or http://localhost (iOS) right?

The only problem I see here is that the client library we are using makes a request in the beginning to read the openid-configuration which is already blocked.

What is your recommendation for CORS settings in this case? Is it safe to use CORS here?

Thanks for your help in advance :)

[Benehiko]

Hi @PeteMac88,

Sorry for the late reply and thank you for reaching out :)
Is this issue maybe related to your problem? #1754

Also, see this article regarding implementing public clients (mobile apps, web apps etc.) https://www.ory.sh/oauth2-for-mobile-app-spa-browser/

And this discussion on a similar topic #2258

[Benehiko]

Hi @PeteMac88,

Do you still require assistance?

[vinckr]

Since the topic seems to be stale @PeteMac88,
I will mark this as answered until further notice.