My current scenario is that I have a Blazor WASM (client) app calling a Web API, via Azure API Management, sitting on a different server/domain. I have both the Blazor App and the Web API secured with Azure Active Directory B2C. I am also authenticating at the API Manager level using jwt-validate. I have worked out how to pass the JWT token from the Blazor App to API Management and the Web API (using the CustomAuthorizationMessageHandler solution), but I'm seeing weird behaviour coming from the Blazor App when making the Api call.
When I make a call using the method Http.GetFromJsonAsyn<MyEntity>("<api manager endpoint>"), the GET request is appearing as a OPTIONS request at the API Manager, therefore causing an error (Unable to match incoming request to an operation). I've tried multiple ways to make the API GET call, but all result in a OPTIONS call.
I can't work out if this is a Blazor issue, a CustomAuthorizationMessageHandler issue, or something else. Has anyone come across this before and, more importantly, has anyone solved the problem?
The OPTIONS call is a 'pre-flight' call to establish whether the call is allowed.
It appears you do not have CORS configured on the API server.
But I would have expected a better error message, about CORS.
See the docs.