The most scalable and customizable identity server on the market. Replace your Homegrown, Auth0, Okta, Firebase with better UX and DX. Has all the tablestakes: Passkeys, Social Sign In, Multi-Factor Auth, SMS, SAML, TOTP, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
Currently the Ory Kratos Admin endpoint does not implement CORS, leading to issues connecting with a client to the admin endpoints. As the endpoint can be used by a web-application it should use CORS similar to the public endpoint, this to prevent CORS issues.
At this moment a lot of example projects are using a proxy to enforce CORS compatibility, which does not seem correct in my opinion. Second this leads to having developers implement alternatives as a workaround for a simple fix.
In respect to the issue #2553 this would also help improve security for the admin endpoint.
Describe your ideal solution
The admin endpoint should support CORS similar to how this is supported with the public endpoint
Workarounds or alternatives
Current workaround is a proxy to enforce CORS. In my opinion the should be avoided as this might lead to more security issues.
aeneasr
commented
1 year ago
Preflight checklist
Describe your problem
Currently the Ory Kratos Admin endpoint does not implement CORS, leading to issues connecting with a client to the admin endpoints. As the endpoint can be used by a web-application it should use CORS similar to the public endpoint, this to prevent CORS issues.
At this moment a lot of example projects are using a proxy to enforce CORS compatibility, which does not seem correct in my opinion. Second this leads to having developers implement alternatives as a workaround for a simple fix.
In respect to the issue #2553 this would also help improve security for the admin endpoint.
Describe your ideal solution
The admin endpoint should support CORS similar to how this is supported with the public endpoint
Workarounds or alternatives
Current workaround is a proxy to enforce CORS. In my opinion the should be avoided as this might lead to more security issues.
Version
v0.10.1
Additional Context
No response