Access-Control-Allow-Origin Ok in this situation?

Question

I am following certain sections of this tutorial but I am wondering if this using "*" is safe to do or if I should be putting it as my domain name?

public class SimpleAuthorizationServerProvider : OAuthAuthorizationServerProvider
{
    public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
    {
        context.Validated();
    }

    public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {

        context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });

        using (AuthRepository _repo = new AuthRepository())
        {
            IdentityUser user = await _repo.FindUser(context.UserName, context.Password);

            if (user == null)
            {
                context.SetError("invalid_grant", "The user name or password is incorrect.");
                return;
            }
        }

        var identity = new ClaimsIdentity(context.Options.AuthenticationType);
        identity.AddClaim(new Claim("sub", context.UserName));
        identity.AddClaim(new Claim("role", "user"));

        context.Validated(identity);

    }
}

Answer 1

It depends on your specific use case.

Ideally you should limit this to as few as possible - your own domain if you can (or a list of domains if it will be more than one) - but if you need to allow public access to that API then you will have to allow "*".

I should also point out that you can set your CORS restrictions on a very granular basis - e.g. for each method, if you need to. See example below from MS docs: https://learn.microsoft.com/en-us/aspnet/core/security/cors

[HttpGet]
[EnableCors("AllowSpecificOrigin")]
public IEnumerable<string> Get()
{
  return new string[] { "value1", "value2" };
}