Guilherme
Guilherme

Reputation: 413

Problem on CORS configuration with Web Api 2, OWIN and Identity Server

I have a few web applications under the same domain, all using a stand alone Identity Server 3 app for login purposes. Under test environment, every single one of then are under the same domain (http://192.168.100.1, or by dns http://companyServer).

Recently, one application needed to request some data from another app, and I found the following error when debugging on Visual Studio:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://companyServer:60000/MyApp/Api/Company/Info?parameter=123. (Reason: CORS header 'Access-Control-Allow-Origin' not present).

We have a central library responsible for configuring Web API on our systems, it has the following (among other things):

public static IAppBuilder UseCebiUtilWebApi(this IAppBuilder app, CebiWebApiOptions options)
{
    Logger.Debug("Configuring Web API");

    app.UseCors(CorsOptions.AllowAll);

    ...
}

On the same method, we also configure Identity Server.

I also checked on my Login Server App, and there is the following code regarding CORS:

public class CompanyCorsPolicyService : DefaultCorsPolicyService
{
    public CompanyCorsPolicyService()
    {
        base.AllowAll = true;
    }
}

This method is being called on the project's Startup.cs.

As far as I know, every single end of my environmet should be enabling full CORS access, no matter the origin. But the header is still missing.

I've tried quite a few solutions on the internet:

Using "config.EnableCors" instead of "app.UseCors"

Overriding GrantResourceOwnerCredentials,

I have also tried setting up manually some CORS related headers on Web.Config, but I was unable to find the specific question here on SO.

I don't think identity server is related to this problem, but since that is the difference between my evironment and the solutions I've found, I decided to put it in here too.

Any ideas?

Upvotes: 0

Views: 241

Answers (1)

phuzi
phuzi

Reputation: 13069

It's possible that the OPTIONSVerbHandler could be intercepting all OPTIONS (CORS pre-flight) requests.

Try disabling that so that ASP.Net can handle those requests instead.

Upvotes: 0

Related Questions