Reputation: 3581
return Challenge() blocked by CORB (ASP.NET Core)
I have built an ASP.NET Core website with Microsoft.AspNetCore.Identity and external logins, and an Angular 8 frontend. This is basically the code in my controller:
[Controller]
[Route("web/[controller]")]
public class AccountController : Controller
{
// GET: web/Account/connect/{provider}
[AllowAnonymous]
[HttpGet("connect/{provider}", Name = "web-account-external-connect-challenge")]
public async Task<ActionResult> ExternalLogin(string provider)
{
var redirectUrl = Url.Action(nameof(ExternalLoginCallback), "Account", new { provider });
var properties = signin_manager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
return Challenge(properties, provider);
}
// GET: web/Account/connect/{provider}/callback
[HttpGet("connect/{provider}/callback", Name = "web-account-external-connect-callback")]
public async Task<ActionResult> ExternalLoginCallback([FromRoute]string provider)
{
...
}
}
So when visiting /web/Account/connect/Facebook you should get the Facebook login page. On successful login FB will redirect to ExternalLoginCallback and the application will handle the login (create account, sign in).
Now it appears that I'm being hit by CORB (never heard of it before). I know about CORS, but CORB is new to me.
You can get a glimpse of the action here.
- Open a guest window please (in order to not automatically sign in)
- Press F12 to open developer tools
- Navigate to https://mintplayer.com/account/login
- Click on a social login button, the popup appears but with the 404 page of the angular app (this as well is misleading)
- Press F12 to open developer tools for the popup
- The following message appears
Cross-Origin Read Blocking (CORB) blocked cross-origin response https://www.facebook.com/login.php?skip_api_login=1&api_key=...&kid_directed_site=0&app_id=...&signed_next=1&next=...&display=page&locale=nl_NL&pl_dbl=0 with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.
The app always shows the NotFoundComponent, but it's only after pressing ctrl+F5 (cache clear), that the Facebook login page appears. Now cache clear has nothing to do with it, the issue is definitely the CORB.
return Challenge() appears to be rendering the login page from Facebook rightaway, without an iframe on my own URL.
I don't understand how I should get around this issue. Should I add a Access-Control-Allow-Origin header to the response to allow my application to load/redirect to the Facebook/Twitter/Google/Microsoft login page? But I'm not planning to allow all origins for sure...
PS. It works perfectly fine on localhost/development.
Information:
Version information:
- ASP.NET Core: 3.1
- Microsoft.AspNetCore.Identity.EntityFrameworkCore: 3.1.1
- Microsoft.AspNetCore.Authentication.MicrosoftAccount: 3.1.1
- @angular/core: ~8.1.1
- @angular/pwa: ^0.803.23
Edit:
Okay, when I try to browse my sitemap: https://mintplayer.com/Sitemap I'm getting the same result, same behavior with the following console warning:
Resource interpreted as Stylesheet but transferred with MIME type application/xml: "https://mintplayer.com/assets/sitemap.xsl".
Upvotes: 0
Views: 482
Answers (1)
Reputation: 3581
Okay, so after a bit of digging around, it appears that the requested resources (in my case /web/Account/connect/Facebook, ..., /signin-facebook, ..., and /Sitemap) are in fact being cached by my serviceworker. I updated my ngsw-config.json like this:
{
"$schema": "./node_modules/@angular/service-worker/config/schema.json",
"index": "/index.html",
"version": 6,
"assetGroups": [
...
],
"dataGroups": [
{
/* /web/... can be cached, /web/Account/... cannot */
"name": "web",
"urls": [ "/web", "!/web/Account" ],
"cacheConfig": {
"maxSize": 20,
"maxAge": "1d",
"strategy": "freshness"
}
},
{
/* /web/Account/... cannot be cached */
"name": "account",
"urls": [ "/web/Account" ],
"cacheConfig": {
"maxSize": 0,
"maxAge": "0u",
"strategy": "freshness"
}
},
{
/* /signin-** (defined by Identity) cannot be cached */
"name": "external-callback",
"urls": [ "/signin-microsoft", "/signin-google", "/signin-facebook", "/signin-twitter" ],
"cacheConfig": {
"maxSize": 0,
"maxAge": "0u",
"strategy": "freshness"
}
},
{
/* /Sitemap cannot be cached */
"name": "sitemap",
"urls": [ "/Sitemap" ],
"cacheConfig": {
"maxSize": 0,
"maxAge": "0u",
"strategy": "freshness"
}
}
],
"cacheConfig": {
"strategy": "freshness"
}
}
Upvotes: 1
Related Questions
- CORS policy errors
- Facebook browser CORS issue
- Problems with AuthenticateAsync with Facebook login in ASP.NET Core
- New #access_denied with Facebook Login (ASP.NET MVC)
- Facebook xhr login: Cross-Origin Request Blocked
- Facebook OAuth "Unhandled remote failure. (Correlation Failed.)"
- "An error occurred while processing your request." with facebook authentication
- No 'Access-Control-Allow-Origin', only errors on first call but works subsequently
- facebook login in asp.net 400 bad request
- (OAuthException) (#2201) response does not match challenge