Access to Xmlhttprequest at From Origin Blocked by CORS Policy Asp.NET Core MVC

Question

I am designing an MVC based web application serving as a reporting dashboard, pulling data from a few different sources. In addition to my Home/View Controller, I've designed API Controllers per each service/data source and I am using Jquery/Ajax to query my API Endpoints.

I am also using Microsoft.Identity.Web/Web.UI to add authorization/authentication into my application and each Controller requires an authenticated user.

The issue I am having, the request being made by my JS of course asks for data from one of my API Controllers, then the API actually redirects me to login (even though I already have an authenticated cookie based session). The redirect is being blocked with the following error:

Access to XMLHttpRequest at 'https://login.microsoftonline.com/...(redirected from 'https://X.X.X.X:XX/v1/MicrosoftPlanner/') from origin 'https://X.X.X.X:XX' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I have attempted unsuccessfully to utilize Microsoft's CORS to allow the redirect - my last attempt was to allow everything like so:

ConfigureServices

public void ConfigureServices(IServiceCollection services)
        {
            string[] initialScopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');

            services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                    .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
                        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
                            .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
                            .AddInMemoryTokenCaches();

            services.Configure<ParkMyCloudApiCredentials>(Configuration.GetSection("ParkMyCloud"));
            services.Configure<ServiceNowApiCredentials>(Configuration.GetSection("ServiceNow"));

            services.AddCors();

            services.AddControllersWithViews(options =>
            {
                var policy = new AuthorizationPolicyBuilder()
                    .RequireAuthenticatedUser()
                    .Build();
                options.Filters.Add(new AuthorizeFilter(policy));
            });
            services.AddRazorPages()
                    .AddMicrosoftIdentityUI();

            services.AddOptions();
        }

Configure

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.CongfigureExceptionHandler();
            }
            app.UseHttpsRedirection();
            app.UseStaticFiles();

            app.UseCors(builder =>
            {
                builder
                .AllowAnyOrigin()
                .AllowAnyMethod()
                .AllowAnyHeader();
            });

            app.UseRouting();

            app.UseAuthentication();
            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllerRoute(
                    name: "default",
                    pattern: "{controller=Home}/{action=Index}/{id?}");
                endpoints.MapRazorPages();
            });
        }

I am going off Microsoft Documentation here: https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-5.0#preflight-requests

It is my understanding that this is the absolute least restrictive, thus should serve as a basic case that would succeed. However, still have yet to figure out how to resolve this.

I know I could potentially use a proxy, but I am trying to avoid work arounds.

I've also looked at other posts on here, and thus far I haven't seen a solution that has also worked for me.

Answer 1

I contacted Microsoft dev assistance and it turns out you can't apply a CORS policy to the Azure AD login endpoint. I am attempting a work around with ADAL/MSAL.JS implicit grant flow.

Answer 2

From this doc, we can see that:

A CORS preflight request is used to determine whether the resource being requested is set to be shared across origins by the server. And The OPTIONS requests are always anonymous, server would not correctly respond to the preflight request if anonymous authentification is not enabled.

Access to XMLHttpRequest at 'https://login.microsoftonline.com/...(redirected from 'https://X.X.X.X:XX/v1/MicrosoftPlanner/') from origin 'https://X.X.X.X:XX' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

To fix the above issue, if you run the App(s) on local for testing purpose with CORS, you can try to enable anonymous authentification.

Besides, if your App(s) are hosted on IIS, you can try to install IIS CORS module and configure CORS for the app.