0

Ill try to keep this short to save digital rain forest. Please ask If I missed any details.

I have an "asp .net 3.1 core + react"-project template in VS, with built in Identity server. This works ok, but I now want to do my react project in a separate project. So I started a new create-react-app-project.

So, from my new react project, when I call OidcConfigurationController. The controller method is called and I can step through the code on server side. Then I get a client error "Failed to fetch", which, by internet wizdom, seems to indicated CORS-error.

This is what I got when I inspect the header in chrome dev toolbar->network

Request URL: https://localhost:5001/authentication/_configuration/MyProject.Web
Referrer Policy: strict-origin-when-cross-origin
:authority: localhost:5001
:method: GET
:path: /authentication/_configuration/MyProject.Web
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,sv;q=0.8
origin: http://localhost:3000
referer: http://localhost:3000/
sec-ch-ua: "Google Chrome";v="87", " Not;A Brand";v="99", "Chromium";v="87"
sec-ch-ua-mobile: ?0
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

These are relevant lines in startup.cs

ConfigureServices()

services.AddCors(options =>
{
    options.AddPolicy(name: MyAllowSpecificOrigins,
                        builder =>
                        {
                            //builder.WithOrigins("http://localhost:3002/", "https://localhost:3001")
                            builder.AllowAnyOrigin()
                        .AllowAnyMethod()
                        .AllowAnyHeader();
                        });
});

services.AddSingleton<ICorsPolicyService>((container) => {
    var logger = container.GetRequiredService<ILogger<DefaultCorsPolicyService>>();
    return new DefaultCorsPolicyService(logger)
    {
        AllowAll = true
    };
});

Configure()

app.UseCors(MyAllowSpecificOrigins); // I also tried to switch order on these 2 rows
app.UseIdentityServer();

Nothing I do here seems to change the Referrer Policy in the header, still get the exact same message

The React-call is just a plain fetch(address-of-the-controller-that-it-hits).

I have also tried to start a new Server Side-project (asp net core api) and set same CORS-policy, I can call this api from my react client without getting any errors)

Cowborg
  • 2,645
  • 3
  • 34
  • 51
  • Can you show us your error message in dev tools? From your description, I can not find any errors. – Karney. Jan 07 '21 at 06:06

1 Answers1

0

So, in the request, you see the origin: http://localhost:3000 header is used. That is the source for the CORS request. But the request is for this URL:

https://localhost:5001/authentication/_configuration/MyProject.Web

Could it not be that there's a redirect from insecure HTTP to HTTPS that is interfering?

Do make sure you set the CORS settings in IdentityServer as well.

See the CORS documentation for more details.

As side note, IIS might cause CORS issues as well, see this answer for details:

IIS hijacks CORS Preflight OPTIONS request

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • Hi Tore! Thanks for your reply! I will check this and reply after "normal" work – Cowborg Jan 07 '21 at 10:14
  • I would also post a copy of the failing request from Fiddler (https://www.telerik.com/download/fiddler ) , its easier to pinpoint whats wrong there. – Tore Nestenius Jan 07 '21 at 10:40