401 Unauthorized response to CORS preflight OPTIONS request

Question

I have a CORS problem with my WebApi in ASP.NET CORE, when I make a HTTP GET request with my Client i a have this error :

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://service.staging.domain.com/application-api-staging/account. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://service.staging.domain.com/application-api-staging/account. (Reason: CORS request did not succeed

https://service.staging.domain.com/application-api-staging is my WebAPI base https://client.staging.domain.com for my web client.

When i check the Firefox console, I have a request & response header below :

Response headers

HTTP/1.1 401 Unauthorized
Server: nginx/1.10.3
Date: Fri, 10 Apr 2020 14:55:31 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 61
Connection: keep-alive
X-DNS-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
ETag: W/"3d-nALmWVEo7YlT78MufcqgeUavvX4"

Request headers

Host: service.staging.domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: */*
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization,content-type,tenant
Referer: https://client.staging.domain.com/application/
Origin: https://client.staging.domain.com
Connection: keep-alive

In my webAPi startup.cs I configured the CORS: startup.cs

readonly string MyAllowSpecificOrigins = "_myAllowSpecificOrigins";

services.AddCors(options => {
  options.AddPolicy(MyAllowSpecificOrigins,
    builder => {
      builder
       .AllowAnyOrigin()
       .AllowAnyHeader()
       .AllowAnyMethod();
    });
});

app.UseCors(MyAllowSpecificOrigins)

And in my controller.

accountController.cs

[EnableCors("_myAllowSpecificOrigins")]

When I test with my client web and my WebAPI in local, client web -> http://localhost:4200 WebApi -> https://localhost:44354 In this case, I can make the request, no problem... it work

but in the second case : client web -> http://localhost:4200 WebApi -> https://service.staging.domain.com/application-api-staging In this case, i have a CORS problem, not work

the same in the third case with the web client and WebApi deploy client web -> https://client.staging.domain.com/application/ WebApi -> https://service.staging.domain.com/application-api-staging the same, I have a CORS probleme, not work

Same error see in the beginning from my question for the error message.

Why I have an error CORS with the url staging ? and/or i can fix that ? Its a nginx problem ?

thank for your help.

UPDATE

The WebAPI and the Webclient work on the Linux Server, so I don't use IIS but I use NGINX.

How I can configure NGINX, or may be it's a asp.net core configuration the problem ?

Answer 1

Try this, worked for me

In launchSettings.json, under iisSettings, set anonymousAuthentication and windowsAuthentication to true.

"iisSettings": {
"windowsAuthentication": true,
"anonymousAuthentication": true,
"iisExpress": {
  "applicationUrl": "http://localhost:8791/",
  "sslPort": 0
}

Answer 2

Check your middleware usage order in StartUp.cs UseCors() should come before UseAuthorization()