Kratos admin does not support CORS

[kamilkloch]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

Hello all, when trying to use kratos admin https://github.com/dfoxg/kratos-admin-ui I am running into CORS problems. Admin running on kamilk:3002 , kratos config contains allowed origins: - http://kamilk:3002/, browser fails to GET http://kamilk:4434/admin/identities due to CORS error: missing allowed origin. Indeed, kratos response does not contain Access-Control-Allow-Origin header.

Here is the 200 response from kratos, which is rejected by the browser due to "missing allowed origin":

Cache-Control: private, no-cache, no-store, must-revalidate
Content-Length: 3
Content-Type: application/json; charset=utf-8
Date: Mon, 03 Apr 2023 07:50:44 GMT
Link: <http://kamilk:4434/identities?page=0&page_size=250&page_token=eyJvZmZzZXQiOiIwIiwidiI6Mn0&per_page=250>; rel="first",<http://kamilk:4434/identities?page=1&page_size=250&page_token=eyJvZmZzZXQiOiIyNTAiLCJ2IjoyfQ&per_page=250>; rel="next",<http://kamilk:4434/identities?page=-1&page_size=250&page_token=eyJvZmZzZXQiOiItMjUwIiwidiI6Mn0&per_page=250>; rel="prev"
X-Total-Count: 0

It looks that kratos admin does not support CORS.

Describe your ideal solution

Support CORS in kratos admin, just like in kratos public.

Workarounds or alternatives

None

Version

0.13.0

Additional Context

No response

[jonas-jonas]

The admin API is not supposed to be accessed via browser and is not secured by design. Please use a reverse proxy like Ory Oathkeeper in front of it to configure CORS and auth for the admin APIs.

See also #3223

[kamilkloch]

Thank you for the hint. As for the oathkeeker, we currently disabled CORS due to ory/oathkeeper#1100