CORS With Enable OPTIONS Header on ASP Net Core 5 Web Api
Question
I already have read all similar questions over here on StackO, and many others links and most of them are related to Core 2 and 3. Also have read all the MS documentation for CORS and still couldn't understand what is going wrong. So I would ask to read carefully what I'm going to write and watch all the evidences I do have.
On my environment I do have an Id Server 4 app running on Kestrel to handle auths and for this server I already have CORS working fine, also on my Id Server Clients I do have my ClientScopes related to my Client (Angular app).
Id Server 4 confg below:
Id Server is being called fine from my localhost app and working fine:
But when I do call my another web api (rede-dev), I'm facing a CORS issue:
Trying GET verb enforcing Origin header from Postman, it does work fine because it does not preflight the request:
But if I try OPTIONS, I cant see my OPTIONS verb on my responde header and I having a 405:
Startup.cs
So I made all the Startup.cs asked config based on MS docs also accordingly to middleware order and still not working.
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy("CorsPolicy",
builder =>
{
builder.AllowAnyOrigin();
builder.AllowAnyMethod();
//builder.WithMethods("POST", "PUT", "DELETE", "GET", "OPTIONS");
builder.AllowAnyHeader();
builder.WithHeaders("Authorization");
});
});
//Json
services.AddControllers();
//services.AddControllers().AddJsonOptions(options => options.JsonSerializerOptions.PropertyNamingPolicy = null);
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
});
//Log
Serilog.Core.Logger serilog = new LoggerConfiguration().ReadFrom.Configuration(Configuration).CreateLogger();
And
public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IApiVersionDescriptionProvider provider)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseForwardedHeaders();
}
else
{
app.UseExceptionHandler("/Error");
app.UseForwardedHeaders();
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseCors("CorsPolicy");
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
app.UseSwagger();
app.UseSwaggerUI(options =>
{
foreach (var description in provider.ApiVersionDescriptions)
{
options.SwaggerEndpoint($"/swagger/{description.GroupName}/swagger.json", description.GroupName.ToUpperInvariant());
}
});
}
What I am missing over here?
Thanks in advance,
2 answers
solution1
0 2021-05-13 20:39:27
I think you can try this syntax
services.AddCors(o => o.AddPolicy("CorsPolicy", builder =>
{
builder.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader();
}));
solution2
0 2021-05-19 11:58:02
@PaulWheeler on comments above said on comments above: The reason you are getting a 405 response to the OPTIONS request from Postman is because ASP.Net requires that at least the 'Access-Control-Request-Method' and 'Origin' headers be specified for such a request when the CORS middleware is handling it (you have the latter but not the former). Since you're using GET and that is generally considered a "safe" operation, the browser will issue it without pre-flight OPTIONS checks. So I'm guessing the error is stemming from some other issue (ie an unhandled exception), and CORS policy on the browser is just masking the issue. I'm not sure the default CORS middleware will include headers on 500 responses.
After Paul point me out the possible error, I did further investigation on my Kestrel logs as below:
After I few researchs I could figure out my problem was my certificate.
I was using one certificate for each app, instead oh that I should share the Id Server Certificate with others apps.
Tnx Paul,
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.