Search code examples
c#.net-coreasp.net-web-apicorsidentityserver4

IdentityServer4 CORS issue

We've set up CORS for our .NET 5 Web API that uses IdentityServer4 as authentication provider.

HTTP calls from our JS client (Ionic/Capacitor) to for example /account/register are working without a problem, but when we make a call to one of our "custom" API methods we get the following error message.

2021-02-19 10:38:10.092 +00:00 [DBG] CORS request made for path: /connect/userinfo from origin: http://192.168.1.152:8100
2021-02-19 10:38:10.099 +00:00 [DBG] Client list checked and origin: http://192.168.1.152:8100 is allowed
2021-02-19 10:38:10.101 +00:00 [DBG] CorsPolicyService allowed origin: http://192.168.1.152:8100
2021-02-19 10:38:10.179 +00:00 [DBG] CORS request made for path: /api/schedule from origin: http://192.168.1.152:8100 but was ignored because path was not for an allowed IdentityServer CORS endpoint

We googled for this issue but the only we seem to find is how to configure CORS for IDS4 or .NET 5. We have our CORS set up like this.

public void ConfigureServices(IServiceCollection services)
{
    services.AddCors(options =>
    {
        options.AddDefaultPolicy(builder =>
            {
                builder.WithOrigins("http://192.168.1.152:8100", "capacitor://localhost", "https://localhost:5001")
                .AllowAnyHeader()
                .AllowAnyMethod();
            });
    });

    // ...

    services.AddIdentityServer();

    // ...
}

After that we also tried setting the AllowedCorsOrigins property on the appropriate client like this. But no luck.

AllowedCorsOrigins = new List<string>
{
    "http://192.168.1.152:8100", 
    "capacitor://localhost"
}

Configure setup is done like this, we tried switching UseCors() and UseIdentityServer() but this didn't help.

public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IMapper mapper)
{
    mapper.ConfigurationProvider.AssertConfigurationIsValid();

    app.UseRouting();
    app.UseStaticFiles();

    app.UseCors();
    app.UseIdentityServer();
    
    app.UseAuthentication();
    app.UseAuthorization();

    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Error");

        app.UseHsts();
    }

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapDefaultControllerRoute();
        endpoints.MapControllers();
    });
}

We also tried the "Adding more API Endpoints" entry in the IDS4 documentation, but this only seems to be meant for authorizing requests to those endpoints, which we already have set up ourselves.

Anyone has a clue what's going on?

Solution

  • Try to use a named policy instead of the default one. Sometimes it works better:

      services.AddCors(o => o.AddPolicy("AllowSpecificOrigins", builder =>
            {
              builder.WithOrigins("http://192.168.1.152:8100", "capacitor://localhost", "https://localhost:5001")
                .AllowAnyHeader()
                .AllowAnyMethod();
        });
});

......
......

app.UseCors("AllowSpecificOrigins");