CORS in asp.net core 2.1 and angular

1
votes

There is quite a lot of discussions on this subject, however none is working for me. I have a asp.net core api 2.1 with an angular 7 app.

Error:

"fleet:1 Access to XMLHttpRequest at 'https://localhost:44354/api/test' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."

Startup:

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme.AddAzureADBearer(options => Configuration.Bind("AzureAd", options));

    services.AddCors((options =>
    {
        options.AddPolicy("AzurePolicy", builder => builder
                    .WithOrigins("http://localhost:4200", "https://localhost:4200", "Access-Control-Allow-Origin", "Access-Control-Allow-Credentials")
                    .AllowAnyMethod()
                    .AllowAnyHeader()
                    .AllowCredentials()
         );
    }));

    services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
}

// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }

    app.UseCors("AzurePolicy");
    app.UseAuthentication();

    app.UseMvc();
}

Config:

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "xx.com",
    "TenantId": "xx",
    "ClientId": "xx"
  },
  "Logging": {
    "LogLevel": {
      "Default": "Warning"
    }
  },
  "AllowedHosts": "*"
}

I even added following to controller:

 [EnableCors("AllowSpecificOrigin")]

Is there more things you can do here?

1
angularasp.net-core
Where is your "AzurePolicy" policy defined? app.UseCors("AzurePolicy");?R. Richards
You need to understand what you are doing (what cors is and how it works) For instance allow any origin is not compatible with allowcredentials, and you really should know why if you are developing this kind of systems.Juan
@juan I was trying to follow this article. adrianszen.com/2019/02/19/… You have to start somewhere. You have a proposal on how to solve it?Thomas Segato
@Juan I tried removing AllowCredentials then I get 401. If you have any input it is appreciated.Thomas Segato
401 means you are missing authentication, because by not allowing credentials, nor cookies nor Authentication header is sent to the server. The thing is you can't send these to the server having allow any origin. You need to lock down the origin to your specific url in order to allow credentials. This is not the only thing you will find along the road, start here, it will help you troubbleshootin whatever comes up: developer.mozilla.org/en-US/docs/Web/HTTP/CORSJuan

1 Answers

1
votes

Add AzureActiveDirectory settings in appsettings.json

Like this:

"AzureAd": {
  "Instance": "https://login.microsoftonline.com",
  "Domain": "AD_DOMAIN",
  "TenantId": "TENANT_GUID",
  "ClientId": "APPLICATIONID_GUID"
}

For more details, follow this Article