Reputation: 4753
Calling MVC endpoint with Ajax when WS-Fed cookie has expired
I have an ASP.NET MVC web application targeting .NET 8. We use WS-Federation for user authentication. For the purposes of this question, let's say that every endpoint is decorated with an AuthorizeAttribute.
For reasons, we've set the expiration of the authentication cookie to be pretty short and not sliding. For testing, I've set the expiration even shorter, like this:
builder.Services.AddAuthentication(...)
.AddCookie(options =>
{
///....
options.SlidingExpiration = false;
options.ExpireTimeSpan = TimeSpan.FromSeconds(60);
})
.AddWsFederation(options =>
{
//....
options.UseTokenLifetime = false;
})
As a result, if a user authenticates, then browses around a bit, after 60 seconds when they then navigate to a different page, you can see in the browser's address bar that, as you'd expect, they are redirected to our WS-Federation endpoint briefly before being redirected to the page they requested. It's all pretty seamless.
However, there are places in the application where we make Ajax calls using fetch to the server, and this is where we have a problem. The endpoints being called are decorated with AuthorizeAttributes. If more than 60 seconds have elapsed since the user last tried to access the server and their authentication cookie was "renewed", the Ajax request fails. The dev tools console shows a few errors, including:
Access to fetch at 'https://....' (redirected from 'https://....') from origin 'https://....' has been blocked by CORS policy: 'No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
I understand why this is happening, broadly speaking, but my question is what is the best way to handle this (aside from the obvious increasing the expiration time of the authentication cookie)? Is there a way to allow the authentication cookie to be renewed with a call to the WS-Federation endpoint during an Ajax call? If not, is my only option to show a message to the user when their cookie has expired and give them the option to refresh the page (thus refreshing their cookie)?
I did try setting mode: 'no-cors' on the fetch request but, as expected, whilst the errors no longer appear in the console the fetch request fails.
Upvotes: 0
Views: 20
Answers (0)
Related Questions
- Trying to use fetch and pass in mode: no-cors
- Allow Access-Control-Allow-Origin header using HTML5 fetch API
- API Gateway CORS: no 'Access-Control-Allow-Origin' header
- No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API
- Solve Cross Origin Resource Sharing with Flask
- Cross-origin resource sharing (CORS) post request works from plain javascript, but why not with jQuery
- Set cookies for cross origin requests
- AWS CloudFront: Font from origin has been blocked from loading by Cross-Origin Resource Sharing policy
- No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '...' is therefore not allowed access
- jQuery $.ajax(), $.post sending "OPTIONS" as REQUEST_METHOD in Firefox