CORS wildcard does not work below first subdomain

[syserr0r]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] This issue affects my Ory Network project.
• [X] I have joined the Ory Community Slack.
• [X] I am signed up to the Ory Security Patch Newsletter.

Describe the bug

Setting up a cors.allowed_origins with a value of https://*.example.com will:

• add the CORS headers to a request from https://foo.example.com ✔️
• not add the CORS headers to a request from https://foo.bar.example.com ❌

Reproducing the bug

1. Run 5-min quickstart hydra with enabled cors and allowed_origins of https://*.example.com:
2. curl -v 'http://127.0.0.1:4444/.well-known/openid-configuration' -H 'Origin: https://foo.example.com' (note presence of CORS headers, this proves CORS is working correctly in a typical environment)

*   Trying 127.0.0.1:4444...
* Connected to 127.0.0.1 (127.0.0.1) port 4444 (#0)
> GET /.well-known/openid-configuration HTTP/1.1
> Host: 127.0.0.1:4444
> User-Agent: curl/7.74.0
> Accept: */*
> Origin: https://foo.example.com
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Origin: https://foo.example.com
< Access-Control-Expose-Headers: Cache-Control, Expires, Last-Modified, Pragma, Content-Length, Content-Language, Content-Type
< Cache-Control: private, no-cache, no-store, must-revalidate
< Content-Type: application/json; charset=utf-8
< Vary: Origin
< Date: Thu, 23 Mar 2023 15:49:59 GMT
< Content-Length: 1508
<
{"issuer":"http://127.0.0.1:4444","authorization_endpoint":"http://127.0.0.1:4444/oauth2/auth","token_endpoint":"http://127.0.0.1:4444/oauth2/token","jwks_uri":"http://127.0.0.1:4444/.well-known/jwks.json","subject_types_supported":["pairwise","public"],"response_types_supported":["code","code id_token","id_token","token id_token","token","token id_token code"],"claims_supported":["sub"],"grant_types_supported":["authorization_code","implicit","client_credentials","refresh_token"],"response_modes_supported":["query","fragment"],"userinfo_endpoint":"http://127.0.0.1:4444/userinfo","scopes_supported":["offline_access","offline","openid"],"token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic","private_key_jwt","none"],"userinfo_signing_alg_values_supported":["none","RS256"],"id_token_signing_alg_values_supported":["RS256"],"id_token_signed_response_alg":["RS256"],"userinfo_signed_response_alg":["RS256"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"claims_parameter_supported":false,"revocation_endpoint":"http://127.0.0.1:4444/oauth2/revoke","backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true,"end_session_endpoint":"http://127.0.0.1:4444/oauth2/sessions/logout","request_object_signing_alg_values_supported":["none","RS256","ES256"],"code_challenge_methods_supported":["plain","S256"]}
* Connection #0 to host 127.0.0.1 left intact

3. curl -v 'http://127.0.0.1:4444/.well-known/openid-configuration' -H 'Origin: https://foo.bar.example.com' (note absence of CORS headers, this proves CORS does not treat the wildcard as expected)

*   Trying 127.0.0.1:4444...
* Connected to 127.0.0.1 (127.0.0.1) port 4444 (#0)
> GET /.well-known/openid-configuration HTTP/1.1
> Host: 127.0.0.1:4444
> User-Agent: curl/7.74.0
> Accept: */*
> Origin: https://foo.bar.example.com
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Cache-Control: private, no-cache, no-store, must-revalidate
< Content-Type: application/json; charset=utf-8
< Vary: Origin
< Date: Thu, 23 Mar 2023 15:50:13 GMT
< Content-Length: 1508
<
{"issuer":"http://127.0.0.1:4444","authorization_endpoint":"http://127.0.0.1:4444/oauth2/auth","token_endpoint":"http://127.0.0.1:4444/oauth2/token","jwks_uri":"http://127.0.0.1:4444/.well-known/jwks.json","subject_types_supported":["pairwise","public"],"response_types_supported":["code","code id_token","id_token","token id_token","token","token id_token code"],"claims_supported":["sub"],"grant_types_supported":["authorization_code","implicit","client_credentials","refresh_token"],"response_modes_supported":["query","fragment"],"userinfo_endpoint":"http://127.0.0.1:4444/userinfo","scopes_supported":["offline_access","offline","openid"],"token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic","private_key_jwt","none"],"userinfo_signing_alg_values_supported":["none","RS256"],"id_token_signing_alg_values_supported":["RS256"],"id_token_signed_response_alg":["RS256"],"userinfo_signed_response_alg":["RS256"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"claims_parameter_supported":false,"revocation_endpoint":"http://127.0.0.1:4444/oauth2/revoke","backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true,"end_session_endpoint":"http://127.0.0.1:4444/oauth2/sessions/logout","request_object_signing_alg_values_supported":["none","RS256","ES256"],"code_challenge_methods_supported":["plain","S256"]}
* Connection #0 to host 127.0.0.1 left intact

Relevant log output

tmp-hydra-1          | time=2023-03-23T15:49:19Z level=info msg=No tracer configured - skipping tracing setup audience=application service_name=Ory Hydra service_version=v2.0.3
tmp-hydra-1          | Thank you for using Ory Hydra v2.0.3!
tmp-hydra-1          |
tmp-hydra-1          | Take security seriously and subscribe to the Ory Security Newsletter. Stay on top of new patches and security insights.
tmp-hydra-1          |
tmp-hydra-1          | >> Subscribe now: http://eepurl.com/di390P <<
tmp-hydra-1          | time=2023-03-23T15:49:19Z level=info msg=Software quality assurance features are enabled. Learn more at: https://www.ory.sh/docs/ecosystem/sqa audience=application service_name=Ory Hydra service_version=v2.0.3
tmp-hydra-1          | time=2023-03-23T15:49:19Z level=info msg=Setting up http server on :4445 audience=application service_name=Ory Hydra service_version=v2.0.3
tmp-hydra-1          | time=2023-03-23T15:49:19Z level=info msg=Setting up http server on :4444 audience=application service_name=Ory Hydra service_version=v2.0.3
tmp-hydra-1          | time=2023-03-23T15:49:19Z level=warning msg=HTTPS is disabled. Please ensure that your proxy is configured to provide HTTPS, and that it redirects HTTP to HTTPS. audience=application service_name=Ory Hydra service_version=v2.0.3
tmp-hydra-migrate-1 exited with code 0
tmp-hydra-1          | time=2023-03-23T15:49:40Z level=info msg=started handling request http_request=map[headers:map[accept:*/* origin:https://foo.example.com user-agent:curl/7.74.0] host:127.0.0.1:4444 method:GET path:/.well-known/openid-configuration query:<nil> remote:172.20.0.1:41980 scheme:http]
tmp-hydra-1          | time=2023-03-23T15:49:40Z level=warning msg=JSON Web Key Set "hydra.openid.id-token" does not exist yet, generating new key pair... audience=application service_name=Ory Hydra service_version=v2.0.3
tmp-hydra-1          | time=2023-03-23T15:49:45Z level=info msg=completed handling request http_request=map[headers:map[accept:*/* origin:https://foo.example.com user-agent:curl/7.74.0] host:127.0.0.1:4444 method:GET path:/.well-known/openid-configuration query:<nil> remote:172.20.0.1:41980 scheme:http] http_response=map[headers:map[access-control-allow-credentials:true access-control-allow-origin:https://foo.example.com access-control-expose-headers:Cache-Control, Expires, Last-Modified, Pragma, Content-Length, Content-Language, Content-Type cache-control:private, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8 vary:Origin] size:1508 status:200 text_status:OK took:5.211230284s]
tmp-hydra-1          | time=2023-03-23T15:49:55Z level=info msg=started handling request http_request=map[headers:map[accept:*/* origin:https://foo.example.com user-agent:curl/7.74.0] host:127.0.0.1:4444 method:GET path:/.well-known/openid-configuration query:<nil> remote:172.20.0.1:36060 scheme:http]
tmp-hydra-1          | time=2023-03-23T15:49:55Z level=info msg=completed handling request http_request=map[headers:map[accept:*/* origin:https://foo.example.com user-agent:curl/7.74.0] host:127.0.0.1:4444 method:GET path:/.well-known/openid-configuration query:<nil> remote:172.20.0.1:36060 scheme:http] http_response=map[headers:map[access-control-allow-credentials:true access-control-allow-origin:https://foo.example.com access-control-expose-headers:Cache-Control, Expires, Last-Modified, Pragma, Content-Length, Content-Language, Content-Type cache-control:private, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8 vary:Origin] size:1508 status:200 text_status:OK took:1.12961ms]
tmp-hydra-1          | time=2023-03-23T15:49:59Z level=info msg=started handling request http_request=map[headers:map[accept:*/* origin:https://foo.example.com user-agent:curl/7.74.0] host:127.0.0.1:4444 method:GET path:/.well-known/openid-configuration query:<nil> remote:172.20.0.1:36064 scheme:http]
tmp-hydra-1          | time=2023-03-23T15:49:59Z level=info msg=completed handling request http_request=map[headers:map[accept:*/* origin:https://foo.example.com user-agent:curl/7.74.0] host:127.0.0.1:4444 method:GET path:/.well-known/openid-configuration query:<nil> remote:172.20.0.1:36064 scheme:http] http_response=map[headers:map[access-control-allow-credentials:true access-control-allow-origin:https://foo.example.com access-control-expose-headers:Cache-Control, Expires, Last-Modified, Pragma, Content-Length, Content-Language, Content-Type cache-control:private, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8 vary:Origin] size:1508 status:200 text_status:OK took:1.361447ms]
tmp-hydra-1          | time=2023-03-23T15:50:13Z level=info msg=started handling request http_request=map[headers:map[accept:*/* origin:https://foo.bar.example.com user-agent:curl/7.74.0] host:127.0.0.1:4444 method:GET path:/.well-known/openid-configuration query:<nil> remote:172.20.0.1:60756 scheme:http]
tmp-hydra-1          | time=2023-03-23T15:50:13Z level=info msg=completed handling request http_request=map[headers:map[accept:*/* origin:https://foo.bar.example.com user-agent:curl/7.74.0] host:127.0.0.1:4444 method:GET path:/.well-known/openid-configuration query:<nil> remote:172.20.0.1:60756 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8 vary:Origin] size:1508 status:200 text_status:OK took:1.415227ms]

Relevant configuration

serve:
  public:
    cors:
      enabled: true
      allowed_origins:
        - https://*.example.com
  cookies:
    same_site_mode: Lax

urls:
  self:
    issuer: http://127.0.0.1:4444
  consent: http://127.0.0.1:3000/consent
  login: http://127.0.0.1:3000/login
  logout: http://127.0.0.1:3000/logout

secrets:
  system:
    - youReallyNeedToChangeThis

oidc:
  subject_identifiers:
    supported_types:
      - pairwise
      - public
    pairwise:
      salt: youReallyNeedToChangeThis

Version

Hydra 2.0.3

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response

[syserr0r]

Note I used Hydra in this example, however I believe this impacts all products