CORS Preflight Fails on Identity Hub – OPTIONS Requires Authentication

[AIMENCristianVegaMuniz]

Hi,
We're developing an admin UI that allows us to manage both the EDC Connector (assets, policies, contracts, etc.) and the Identity Hub. For the EDC Connector, we configured the following environment variables to enable CORS:

edc.web.rest.cors.enabled=true
edc.web.rest.cors.origins=http://192.168.1.27/
edc.web.rest.cors.headers=Authorization,Content-Type,X-Api-Key
edc.web.rest.cors.methods=GET,POST,PUT,DELETE,OPTIONS

This works well, and CORS is functioning as expected.

We applied a similar setup for the Identity Hub. We've added the CORS configuration, also the super-user seed extension, configured the API key using EDC_IH_API_SUPERUSER_KEY, and we’re able to make requests from Postman and curl successfully.

However, when making requests from the UI (running at http://192.168.1.27/), the CORS preflight request (OPTIONS) fails with a 401 Unauthorized, likely because it doesn't include the X-API-Key header. This causes the Identity Hub to reject the preflight before the actual request can be made.

Our question is:

Is there a way to configure the Identity Hub to allow unauthenticated OPTIONS requests (i.e., bypass authentication for preflight), or to support direct browser connectivity without needing an intermediary proxy? What is your recommendation?

Thanks in advance for your help!

[jimmarino]

Hi,

You should not have a UI directly interact with any EDC management API, particularly because that is extremely insecure and not the intended purpose of the API.

The design of management APIs in EDC is such that a UI backend (server) will need to handle user authentication, map those to permissions, and invoke appropriate management API operations on behalf of that user.

[paullatzelsperger]

Is there a way to configure the Identity Hub to allow unauthenticated OPTIONS requests (i.e., bypass authentication for preflight), or to support direct browser connectivity without needing an intermediary proxy? What is your recommendation?

no, such an option does not exist. and to be frank, in EDC that option only exists due to historical reasons, and it probably should be removed there as well.

Please take a look at the documentation, that explicitly advises against directly exposing and consuming EDC APIs.