Getting a XMLHttpRequest: Network Error 0x80070005, Access is denied

Question

I have a token endpoint that is passed a username and password grant type to authenticate users. This token endpoint is called from an AngularJS service that is part of my MVC web front end. When I call the service I get the following error

XMLHttpRequest: Network Error 0x80070005, Access is denied.

This seems to be a CORS problem. I did the following to resolve this problem with no luck thus far

I added the app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll); to my Startup.cs file for my token web service.

public class Startup
{
    public void Configuration
    (
    IAppBuilder app
    )
{
    ConfigureOAuth(app);

    var config = new HttpConfiguration();
    WebApiConfig.Register(config);

    config.Filters.Add(new AuthorizeAttribute());

    app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);

    app.UseWebApi(config);
}

private void ConfigureOAuth
    (
    IAppBuilder app
    )
{
   app.UseOAuthAuthorizationServer(new OAuthServerOptionsProvider().Provide());
   app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
}

I also have a class that is overriding the OAuthAuthorizationServerProvider, within the GrantResourceOwnerCredentials method I have the following code to add all origins to the response headers

 public override async Task GrantResourceOwnerCredentials
     (
     OAuthGrantResourceOwnerCredentialsContext context
     )
 {
     System.Web.HttpContext.Current.Response.Headers.Add("Access-Control-Allow-Origin", "*");
    // Other code left out to keep this short
 }

In fiddler I can see that the response header was successfully added

Is there something I'm missing here?

Update

Here is my request headers

Can you include your request headers as well? I've a feeling you don't return `200 OK` for a pre-flight `OPTIONS` call — maurycy, Jul 27 '15 at 11:26
So it is as I thought and it's failing on pre-flight `OPTIONS` call, check configuration for `ASP.NET` here http://enable-cors.org/server_aspnet.html and assure that `OPTIONS` return code `200`, then you will see a second call with `POST` method which will means that CORS is configured correctly, to use other methods i.e. `PUT` and `DELETE` you will need to specify those in `Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"` — maurycy, Jul 27 '15 at 11:41
Thank you @maurycy, your comments pointed me in the right direction, I will post how I eventually managed to solve this problem below. — Andre Lombaard, Jul 27 '15 at 13:37

score 0 · Accepted Answer · edited May 23 '17 at 12:21

First of all I have to point out that the comments made by @maurycy helped me find the solution in the comments of this stackoverflow post.

This post explains that the app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll); in the Startup.cs file should be moved to the top of the method and that the System.Web.HttpContext.Current.Response.Headers.Add("Access-Control-Allow-Origin", "*"); should be removed from the GrantResourceOwnerCredentials class. So I changed the code in my question to look something like this,

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        ConfigureOAuth(app);

        var config = new HttpConfiguration();
        WebApiConfig.Register(config);

        config.Filters.Add(new AuthorizeAttribute());

        app.UseWebApi(config);
    }

    private void ConfigureOAuth(IAppBuilder app)
    {
        app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);

        app.UseOAuthAuthorizationServer(new OAuthServerOptionsProvider().Provide());
        app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
    }
}

I also have changed the class that is overriding the OAuthAuthorizationServerProvider

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
 {
     // Remove the response header that was added
     // Other code left out to keep this short
 }

Getting a XMLHttpRequest: Network Error 0x80070005, Access is denied

1 Answers1