“No 'Access-Control-Allow-Origin' header is present” for redirected request to https://login.microsoftonline.com/

1
votes

I'm trying to get response with an access code and getting:

XMLHttpRequest cannot load "h...://login.microsoftonline.com/d331431b-899c-4666-8094-e82e6bfc3964/oaut…auth%2faad&scope=user_impersonation&state=033f4ad89a574135884fd3a03c1743ab". No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:23589' is therefore not allowed access.

Used all suggestions from the ServiceStack, CORS, and OPTIONS (No Access-Control-Allow-Origin header) discussion:

added:

Plugins.Add(new CorsFeature(new[] { "http://localhost/", "http://localhost:23589" },
            allowCredentials: true,
            allowedHeaders: "Content-Type, Allow, Authorization"));

and even:

PreRequestFilters.Add((httpReq, httpRes) =>
{
     //if (httpReq.Verb == "OPTIONS")
     //{
     //    var origin = httpReq.Headers.Get("Origin");
     string origin = httpReq.Headers.Get("Origin");
     httpRes.AddHeader(HttpHeaders.AllowOrigin,  "*");
     httpRes.EndRequest();
     // }
});

Still no luck. We are using ServiceStack version 4.0.56

Request URL:

> https://login.microsoftonline.com/d331431b-899c-4666-8094-e82e6bfc3964/oauth2/authorize?response_type=code&resource=https%3a%2f%2fanalysis.windows.net%2fpowerbi%2fapi&client_id=0d3be5ed-3361-43f5-9d25-a5ccefb11f7e&redirect_uri=http%3a%2f%2flocalhost%3a23589%2fapi%2fauth%2faad&scope=user_impersonation&state=d6ef09f8064643ed914d4995562642be

Request Method:GET
Status Code:200 OK
Remote Address:157.55.208.218:443

Response Headers:

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/8.5
x-ms-request-id: d2531fb2-2e97-4940-a15d-f3c6f1cd5e7b
client-request-id: 376b2cb0-e1d2-4749-a8b5-adfee1b3ceba
X-Frame-Options: DENY
x-ms-gateway-service-instanceid: ESTSFE_IN_344
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: buid=AAABAAEAiL9Kn2Z27UubvWFPbm0gLfvzURnxA_SU_2fqg40MIAq5oFqJPcrl7iSuhLgh52CsEbHynIx5Krpov-SlQ7tVxK9O3EWPdKHzur0dQHXgfE4FLI6Vmv3-HwokZIpKbXA2IAA; expires=Fri, 02-Dec-2016 17:25:56 GMT; path=/; secure; HttpOnly
Set-Cookie: esctx=AAABAAAAiL9Kn2Z27UubvWFPbm0gLdbqNasFxQzD3cBv92w234pND-QPmCQNU9pfwexBLi9fullMTJbXyFHlgwaIpWQHx6OpBt9rHaIVDwlxaAh7MqFmsrHiMcoXcWy55B0veMpU10kthlQdtj37nLx1_p3ocBF3tMJ822MGbR2D-Epr8iTW2AmiL46Q2oxA9gHfuwYBIAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly
Set-Cookie: x-ms-gateway-slice=productiona; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly
X-Powered-By: ASP.NET
Date: Sun, 05 Jun 2016 17:25:55 GMT
Content-Length: 9602

Request Headers:

Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:en-US,en;q=0.8,ru;q=0.6
Cache-Control:max-age=0
Connection:keep-alive
Host:login.microsoftonline.com
Origin:http://localhost:23589
Referer:http://localhost:23589/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

I also tried adding this code in AppHost Confugure method:

 base.SetConfig(new HostConfig
            {
                GlobalResponseHeaders = {
                    { "Access-Control-Allow-Origin", "*" },
                    { "Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS" },
                    { "Access-Control-Allow-Headers", "Content-Type" },
                },
            });

From Fiddler:

Request headers:

GET /d331431b-899c-4666-8094-e82e6bfc3964/oauth2/authorize?response_type=code&resource=https%3a%2f%2fanalysis.windows.net%2fpowerbi%2fapi&client_id=0d3be5ed-3361-43f5-9d25-a5ccefb11f7e&redirect_uri=http%3a%2f%2flocalhost%3a23589%2fapi%2fauth%2faad&scope=user_impersonation&state=3c41d4ea46a8408fb19fdf05ea07643a HTTP/1.1
Host: login.microsoftonline.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: application/json, text/plain, */*
Origin: http://localhost:23589
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Referer: http://localhost:23589/
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8,ru;q=0.6

Response Headers:

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/8.5
x-ms-request-id: 70fcd73f-f880-4744-b896-6edc491b1d22
client-request-id: a52446b6-a7f0-4afb-ba23-8d27207ddb27
X-Frame-Options: DENY
x-ms-gateway-service-instanceid: ESTSFE_IN_19
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
Set-Cookie: buid=AAABAAEAiL9Kn2Z27UubvWFPbm0gLWnOYMRRqrZRDzgogkab1uuAetOi-f1iLnpE1G5EU3xMkzYdvTgIs2Fz79S07PNcfnEry6eWS8RX_4k8awcIgY063VQ7VvWP6SRRvXfCgpJeIAA; expires=Fri, 02-Dec-2016 22:20:48 GMT; path=/; secure; HttpOnly
Set-Cookie: esctx=AAABAAAAiL9Kn2Z27UubvWFPbm0gLZemnOQ8vijuCpi6h8NzV-CjOfr0MZwZhb4Nfczf20C1TSXORoJbIHCbVBV_MmeuXTR1mbzh9GzFIBmi__ff0M-gGh02fol-sHPyKJnU7Zfi2cEYWensHvmiEJO9Tw5KbO8tWdZxl-XDi7V5IZNNsJWp4LxTVVGkOeyOYieMfJ6mIAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly
Set-Cookie: x-ms-gateway-slice=productiona; path=/; secure; HttpOnly
Set-Cookie: stsservicecookie=ests; path=/; secure; HttpOnly
X-Powered-By: ASP.NET
Date: Sun, 05 Jun 2016 22:20:49 GMT
Content-Length: 36210
3
corsservicestack
Can you post the raw HTTP Request and Response Headers, you can get them with Chrome WebInspector or Fiddler.mythz
Thank you for the reply. There are no: "Access-Control-Allow.." in the Response Headers. Access-Control-Allow-Headers:Content-Type Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Origin:*Tatyana K
When I call my AuthProvider directly everything is good and request/response look different: Request URL:login.microsoftonline.com/d331431b-899c-4666-8094-e82e6bfc3964/… Request Method:GET Status Code:302 Found Remote Address:157.55.208.218:443Tatyana K
The Origin and Referer headers seem incomplete or corrupted. The url in the Origin header is what's supposed to match exactly with what's added on Plugins.Add(new CorsFeature(new[] { "http://localhost:23589" });mythz
i tried with "/" and without.The error message has: localhost:23589.Tatyana K

3 Answers

2
votes

The issue is because you're trying to call the /api/auth/aad OAuth route via Ajax instead of linking to it directly in your page.

You can't call the AAD OAuth route via Ajax since the url it redirects to that's used to capture the clients authorization (https://login.microsoftonline.com/..) doesn't allow CORS as indicated in the error that you're seeing.

This isn't a ServiceStack CORS issue which you don't need in order to talk to your local API's (i.e. http://localhost:23589) since its hosted in the same domain as the HTML page. CORS (Cross-origin resource sharing) is needed when using Ajax to access a resource outside of the domain (i.e. https://login.microsoftonline.com/..) which since it doesn't allow CORS will not let you access that url via Ajax.

1
votes

Remove the last slash in your url "http://localhost"

1
votes

As mythz explained in his answer, CORS is not allowed from your originating domain. You are, however, allowed to register your application with Microsoft Azure(?) Active Directory so that it can display a separate login dialog that will return a callback to your application as soon as authentication succeeds.

For more information about the AAD login flow (mind you, this is a NodeJS example, not bare javascript, but the same logic applies) check out Getting started with Azure AD.