Devise token auth not returning the Set-Cookie header on different domain

Question

I have a rails 4 backend using DeviseTokenAuth and an AngularJS frontend using ngTokenAuth.
When frontend and backend are deployed on the same domain the authentication works perfectly.

When testing on localhost, with both the backend and the frontend running on localhost on two different ports the sign_in request completes with 200 OK but the response doesn't contain Set-Cookie header and so the client remains unauthenticated for the following requests.

Down here you can see a copy of the headers received in the sign_in response in both scenarios.
The problem is the same also if I try to authenticate from a frontend running locally to the RAILS backend deployed on server. The CORS headers are configured like this on the server and everything seems fine to me about cross origin:

config.middleware.insert_before 0, "Rack::Cors" do
    allow do
    origins '*'
    resource '*', :headers => :any, :methods => [:get, :post, :options]
    end
end

Deployed on server

Accept-Ranges:bytes
Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:GET, POST, OPTIONS
Access-Control-Allow-Origin:example.org
Access-Control-Expose-Headers:
Access-Control-Max-Age:1728000
access-token:XXXXXXXXXXOI9s2x0IuVMA
Age:0
Cache-Control:max-age=0, private, must-revalidate
client:XXXXXXXXXXAP2TsoBZTnjg
Connection:keep-alive
Content-Type:application/json; charset=utf-8
Date:Thu, 04 May 2017 09:28:17 GMT
ETag:W/"XXXXXXXXXXc86bb292d476d2366d3742"
expiry:1495099697
Server:nginx/1.10.0 (Ubuntu)
Set-Cookie:_differenthood_session=ZE1NWndTUUVmMkNDbWRWckNNbkpKdWh6SVdaVTFlaGN6XXXXXXXXXXcrb2EzSGd3SFQvN2h3Z2IxOE9BMVYrTjV6YmsvRXpWNmN4T213R2V3MEJ1WWc9PS0tbU01Ymt6YkdOc0VIUTFCK1NUVFlMZz09--861a3aebd1d79f224d9ad810a88e5d5f23e114c0; path=/; HttpOnly
token-type:Bearer
Transfer-Encoding:chunked
uid:login@email.com
Vary:Origin
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Request-Id:c935b76c-d173-48ce-b21c-5e694845148b
X-Runtime:0.629113
X-XSS-Protection:1; mode=block

Testing on localhost

Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:GET, POST, OPTIONS
Access-Control-Allow-Origin:http://localhost:9000
Access-Control-Expose-Headers:
Access-Control-Max-Age:1728000
Access-Token:XXXXXXXXXXXAiR5CQmwYpQ
Cache-Control:max-age=0, private, must-revalidate
Client:XXXXXXXXXXq2UC7GXE0qbw
Connection:Keep-Alive
Content-Length:418
Content-Type:application/json; charset=utf-8
Date:Thu, 04 May 2017 09:27:20 GMT
Etag:W/"XXXXXXXXXX37381b8c1637b2ea1bba96"
Expiry:1495099640
Server:WEBrick/1.3.1 (Ruby/2.2.6/2016-11-15)
Token-Type:Bearer
Uid:login@email.com
Vary:Origin
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Request-Id:3ef1f652-b29f-4fe7-bbb9-3de47f1acddf
X-Runtime:0.653264
X-Xss-Protection:1; mode=block

Answer 1

Nevermind sorry. I read the documentation deeper (https://github.com/lynndylanhurley/devise_token_auth#cors) and found the suggested CORS configuration that fixed the problem for me.
By adding:

:expose  => ['access-token', 'expiry', 'token-type', 'uid', 'client'],

to the CORS configuration posted in the question, the problem is resolved.