Cors Issue When IdentityServer redirect to redirect_uri

1
votes

I'm working on a SPA web application consisting of:

  • Apis running on https://localhost:5001
  • IdentityServer4 running on https://localhost:5001
  • A mobile application, the client consuming the apis, running on http://localhost:8100. Its based on ionic+capacitor and launched using ionic serve.

I'm having trouble completing the login flow from the mobile. What works now, is the mobile app calling the identity server for authorizaion, identity server validates the user, and the result should return back to the mobile app through a redirection. My current problem now is im getting a cors issues when the identity server tries to redirect the call to the mobile app.

The flow I have is as follows:

  • The mobile app call the identity server authorize endpoint using the code flow.
  • Identity server redirect me to the interactive login page.
  • I enter the email/password and call the web api for authentication.
  • Identityserver call /authorize/callback with the tokens and credentials
  • The authorize/callback should redirect me to the redirect_uri of the mobile app (http://localhost:8100/authcallback), however im getting the CORS issue as below, what might be the cause of the problem?

Signin Api endpoint

       [HttpPost("login")] 
        public async Task<IActionResult> Login(UserResource model) { 
                   
            var result = await signInManager.PasswordSignInAsync(model.email, model.password, isPersistent: true, lockoutOnFailure: false);

            var context = await interaction.GetAuthorizationContextAsync(model.return_url);

            if (result.Succeeded) { 

                // @todo will need to be changed to support multiple organizations
                var uo = db.Users.Include(q => q.UserOrganization).Single( q => q.Email == model.email ).UserOrganization.First();
                uo.LastLogin = DateTime.UtcNow;
                await db.SaveChangesAsync();

                // let identity server know that we loggedin
                await identityEvents.RaiseAsync(new UserLoginSuccessEvent(
                     model.email, uo.UserId, model.email, clientId: context?.Client.ClientId
                ));


                return Redirect(model.return_url);
                /*return Ok( new{
                    email = model.email,
                    return_url = context.RedirectUri
                } );*/
            }

            // not including an empty object here raises an error, maybe a problem with core3-preview5
            await identityEvents.RaiseAsync(new UserLoginFailureEvent(model.email, "invalid credentials", clientId:context?.Client.ClientId));
            return NotFound(new {});

        }

enter image description here

1
ionic-frameworkasp.net-identityidentityserver4

1 Answers

0
votes

The problem was actually i'm issuing a redirect from an XmlHttpRequest to a different origin (http://localhost:8100), so chrome won't like that is giving me this error.

The fix was returning an Ok() instead of a Redirect() in the signin controller, and in the javascript spa client I do the redirect using window.location.