CORS problem with B2C and Azure App Service

4
votes

I have enabled CORS in my ASP.NET/Angular application by using AddCors and EnableCors in controllers. My application is communicating with AD B2C pages. After build I have this error in the console :

Access to XMLHttpRequest at 'https://XXX.b2clogin.com/ (redirected from 'https://XXX.azurewebsites.net/User/Info') from origin 'https://XXX.azurewebsites.net' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Startup.cs : 

            services.AddCors(options =>
        {
            options.AddPolicy("CorsPolicy",
                builder => builder.AllowAnyOrigin()
                .AllowAnyMethod()
                .AllowAnyHeader()
                .AllowCredentials());
        });

Controller : 

[EnableCors("CorsPolicy")]
[Authorize]
public class UserEditController : Controller

I have enabled CORS on Azure too by putting : Allowed Origins - * .

UPDATE:

[Route("User/Info")]
[HttpGet]
public async Task<IActionResult> LoggedInUserInfo()
{
    if (User.Identity.IsAuthenticated)
    {
        var user = ((ClaimsIdentity)User.Identity).FindFirst(ClaimTypes.NameIdentifier).Value;
        var viewmodel = await userService.GetUserByObjectId(user);
        return Json(new { loggedIn = "true", user = viewmodel });
    }
    return Json(new { loggedIn = "false" });
}
1
asp.netcorsazure-ad-b2c
Hi @Memo Are you attempting a cross-origin request to the .b2clogin.com origin from your own page?Chris Padgett
Yes that’s it. I have enable CORS on my B2C pages too.Memo
What is the scenario for which XXX.azurewebsites.net/User/Info is attempting to make a XMLHttpRequest to b2clogin.com?Omer Iqbal
@OmerIqbal I have updated the post. You can see the scenario, the method is querying Azure AD to get the user with object Id.Memo

1 Answers

3
votes

It appears that you're attempting a cross-origin request from the https://xxx.azurewebsites.net/ domain to the https://xxx.b2clogin.com/ domain.

Currently the .b2clogin.com domain doesn't allow any cross-origin requests from any other domain.