-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting allowed origins via an ICorsPolicyService does not set access-control-allow-origin for OPTIONS requests #1251
Comments
The This doesn't seem to have anything to do with IdentityServer, do you agree? If so maybe the ASP.NET Core issue tracker is the right place to continue the conversation. |
So the origin absolutely does not match - that's why I'm trying to use the provided I do believe this is an identity server issue, because it shows that the |
I misinterpreted your question, my apologies. |
Are you registering the |
I think the last paragraph refers to services.AddIdentityServer(...)
.AddCorsPolicyService<MyCorsPolicyService>(); |
The IdentityServer Cors handling is designed to work together with any other Cors policies in the hosting Asp.Net Core application. The IdentityServer Cors handling will only be activated for the IdentityServer protocol endpoints where Cors is relevant. To make these work together it is important that your own |
Which version of Duende IdentityServer are you using?
6.0.0
Which version of .NET are you using?
.NET 8.0
Describe the bug
Found when using
oidc-client-ts
withloadUserInfo: true
, which triggers anOPTIONS
request to/connect/userinfo
(Presumably because it contains anAuthorization
header).When the OPTIONS request is sent, origins specified in ICorsPolicyService are not included in the validation process, and the
access-control-allow-origin
header is not set.To Reproduce
This only occurs when multiple CORS policies are used. Broadly speaking, application builder config has to look like:
Then the request below will be returned without an
access-control-allow-origin
header, even ifhttps://someotherdomain.com
is accepted by the ICorsPolicyService:Expected behavior
Setting allowed origins in
ICorsPolicyService
should work forOPTIONS
requests.Additional context
It looks like this is caused because the aspnetcore CORS middleware will short-circuit
OPTIONS
requests. See:https://github.com/dotnet/aspnetcore/blob/d6c161969965bfeff71110ea5b3462afacfa9f24/src/Middleware/CORS/src/Infrastructure/CorsMiddleware.cs#L177
Ordinarily, both cors middleware instances will run and either the first or second will set the right headers on the response. For
OPTIONS
though, only the first instance of the middleware is processed.Technically I might be able to resolve this by swapping the order of
UseCors
andUseIdentityServer
, but this would give the opposite problem for otherOPTIONS
requests.I've been able to trick this into working by creating a dummy endpoint that can teach the CORS middleware which policy to use:
But this is extremely unpleasant and brittle.
The text was updated successfully, but these errors were encountered: