1

I have a simple (for troubleshooting only) implementation of OAuthAuthorizationServerProvider where I am overriding the GrantResourceOwnerCredentials method like this:

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
    context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
    context.SetError("invalid_grant", "The user name or password is incorrect.");
}

The first line enables CORS and the second line simply invalidates the context. When testing using Chrome, this works as expected - I get back a 400 (Bad Request) when I POST to the token endpoint.

However, the moment I introduce any reference to System.Web.Helpers.Crypto, CORS no longer works and I get back No 'Access-Control-Allow-Origin' header is present on the requested resource. For example CORS fails if I change the above to this:

    public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {
        context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
        var salt = System.Web.Helpers.Crypto.GenerateSalt();
        context.SetError("invalid_grant", "The user name or password is incorrect.");
    }

This is, of course, a contrived example that I came up with while troubleshooting the problem. In the actual GrantResourceOwnerCredentials, Crypto.VerifyHashedPassword() is used which causes the exact same problem. Also, as a test, I quickly wrapped the call to Crypto in another class but the problem persists.

Have I encountered a strange bug? Any direction with this would be appreciated.

UPDATE: Further investigating revealed that this problem apparently occurs with any reference to System.Web.Helpers. In other words, it is not specific to the System.Web.Helpers.Crypto class.

user1843640
  • 3,613
  • 3
  • 31
  • 44
  • 1
    wow this would be a very severe bug if your diagnosis is correct... which makes me think it's probably not correct :) could you use a tool such as fiddler to intercept the HTTP traffic and share with us what is actually going over the wire? – Robert Levy Oct 03 '14 at 02:05
  • thanks for the suggestion to use fiddler which helped reveal the underlying problem - an exception is occurring: "Could not load file or assembly 'System.Web.Helpers' or..." now I just need to figure out why. – user1843640 Oct 03 '14 at 02:19

1 Answers1

1

Turns out an exception was occurring before the 'Access-Control-Allow-Origin' header could be written. Stepping through the code did not reveal the exception. However, once I used fiddler, as recommended by @Robert Levy, I saw the full response which contained the exception - "Could not load file or assembly 'System.Web.Helpers'". I tracked the problem down to web.config where the dependentAssembly entry for System.Web.Helpers had the wrong version number:

  <dependentAssembly>
    <assemblyIdentity name="System.Web.Helpers" publicKeyToken="31bf3856ad364e35"/>
    <bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="2.0.0.0"/>
  </dependentAssembly>

newVersion was set to 3.0.0.0 but the version of the assembly is 2.0.0.0. Making this change in web.config fixed the problem.

user1843640
  • 3,613
  • 3
  • 31
  • 44