CORS error on requesting OWIN token

Question

I need to implement OWIN authorization from web api server. Below is my startup class.

[assembly: OwinStartup(typeof(SpaServerSide.MyStartUp))]

namespace SpaServerSide
{
    public class MyStartUp
    {
        public void Configuration(IAppBuilder app)
        {            
            HttpConfiguration config = new HttpConfiguration();

            app.Map("/signalr", map =>
            {
                map.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
                var hubConfig = new Microsoft.AspNet.SignalR.HubConfiguration { };
                map.RunSignalR(hubConfig);
            });


            app.UseCookieAuthentication(new CookieAuthenticationOptions()
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/#")
            });


            OAuthAuthorizationServerOptions OAuthOptions = new OAuthAuthorizationServerOptions()
            {
                AllowInsecureHttp = true,
                TokenEndpointPath = new PathString("/Token"),
                AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(5),
                Provider = new SpaServerSide.Shared.OAuthTokenServer()               
            };

            app.UseOAuthAuthorizationServer(OAuthOptions);
            app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());

            WebApiConfig.Register(config);
            app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
            app.UseWebApi(config);

        }
    }
}

Then, I implement the OAuthAuthorizationServerProvider as the following :

public class OAuthTokenServer : OAuthAuthorizationServerProvider
    {
        public ASPIdentityUserManager cusUserManager;       

        public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
        {
            context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
            context.OwinContext.Response.Headers.Add("Access-Control-Allow-Credentials", new[] { "true" });
            var user = await cusUserManager.FindAsync(context.UserName, context.Password);
            if (user == null)
            {
                context.SetError("invalid_grant", "Username and password do not match.");
                return;
            }
            var identity = await cusUserManager.CreateIdentityAsync(user, context.Options.AuthenticationType);
            context.Validated(identity);
        }

    }

After that, I have hosted the web server on http://localhost:5587 and client web site on http://localhost. When I tried to request the token using Angular JS, the browser threw me an CORS error. The message is as follows :

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:5587/Token. (Reason: CORS header 'Access-Control-Allow-Origin' missing).

Please suggest me anything I would have missed.

Answer 1

Move the line: app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);

at the beginning of your Configuration() method.

You have to configure CORS middleware before oauth middleware. And before signalr middleware if you need it.

Answer 2

Try this

Enable browser setting for allowing cross origin access

IE: http://www.webdavsystem.com/ajax/programming/cross_origin_requests

Firefox: How to enable CORS on Firefox?

Chrome: https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi?hl=en

Answer 3

I think u need enable CORS in your server side. U can refer to this http://enable-cors.org/server.html . Click link based on your server.

Hope that help u. :)