1

I already have read all similar questions over here on StackO, and many others links and most of them are related to Core 2 and 3. Also have read all the MS documentation for CORS and still couldn't understand what is going wrong. So I would ask to read carefully what I'm going to write and watch all the evidences I do have.

On my environment I do have an Id Server 4 app running on Kestrel to handle auths and for this server I already have CORS working fine, also on my Id Server Clients I do have my ClientScopes related to my Client (Angular app).

Id Server 4 confg below:

enter image description here

Id Server is being called fine from my localhost app and working fine:

enter image description here enter image description here

But when I do call my another web api (rede-dev), I'm facing a CORS issue:

enter image description here

Trying GET verb enforcing Origin header from Postman, it does work fine because it does not preflight the request:

enter image description here

But if I try OPTIONS, I cant see my OPTIONS verb on my responde header and I having a 405:

enter image description here

Startup.cs

So I made all the Startup.cs asked config based on MS docs also accordingly to middleware order and still not working.

public void ConfigureServices(IServiceCollection services)
    {
        services.AddCors(options =>
        {
            options.AddPolicy("CorsPolicy",
            builder =>
            {
                builder.AllowAnyOrigin();
                builder.AllowAnyMethod();
                //builder.WithMethods("POST", "PUT", "DELETE", "GET", "OPTIONS");
                builder.AllowAnyHeader();
                builder.WithHeaders("Authorization");
            });
        });

        //Json
        services.AddControllers();
        //services.AddControllers().AddJsonOptions(options => options.JsonSerializerOptions.PropertyNamingPolicy = null);
        services.Configure<ForwardedHeadersOptions>(options =>
        {
            options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
        });

        //Log
        Serilog.Core.Logger serilog = new LoggerConfiguration().ReadFrom.Configuration(Configuration).CreateLogger();

And

public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IApiVersionDescriptionProvider provider)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
            app.UseForwardedHeaders();
        }
        else
        {
            app.UseExceptionHandler("/Error");
            app.UseForwardedHeaders();
            app.UseHsts();
        }

        app.UseHttpsRedirection();
        app.UseStaticFiles();

        app.UseRouting();
        app.UseCors("CorsPolicy");

        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });

        app.UseSwagger();
        app.UseSwaggerUI(options =>
        {
            foreach (var description in provider.ApiVersionDescriptions)
            {
                options.SwaggerEndpoint($"/swagger/{description.GroupName}/swagger.json", description.GroupName.ToUpperInvariant());
            }
        });
    }

What I am missing over here?

Thanks in advance,

Improve this question
8
  • Try to remove builder.WithHeaders("Authorization"); Commented May 13, 2021 at 20:20
  • @Sergey tried removing builder.WithHeaders("Authorization"); and have the same result. Commented May 13, 2021 at 20:29
  • Also tried to toggle RequireHttpsMetadata and nothing change. But I didn't try to set that to "true" and call from Angular App under HTTPS. Should I? Commented May 13, 2021 at 20:30
  • I don't have time to write this up as an answer just now, but the reason you are getting a 405 response to the OPTIONS request from Postman is because ASP.Net requires that at least the Access-Control-Request-Method and Origin headers be specified for such a request when the CORS middleware is handling it (you have the latter but not the former). Commented May 14, 2021 at 10:30
  • ... Since you're using GET and that is generally considered a "safe" operation, the browser will issue it without pre-flight OPTIONS checks. So I'm guessing the error is stemming from some other issue (i.e. an unhandled exception), and CORS policy on the browser is just masking the issue. I'm not sure the default CORS middleware will include headers on 500 responses. Commented May 14, 2021 at 10:31

2 Answers 2

Reset to default
1

I think you can try this syntax

services.AddCors(o => o.AddPolicy("CorsPolicy", builder =>
            {
                builder.AllowAnyOrigin()
                       .AllowAnyMethod()
                       .AllowAnyHeader();
            }));
Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

I already tried this one and still doesn't work.
Pls try again. Just copy and paste
ok, I just did copy and paste. Still the same error.
What Is the same error ? Method is not allowed?
Yes. Exactly the same one.
|
1

@PaulWheeler on comments above said on comments above: The reason you are getting a 405 response to the OPTIONS request from Postman is because ASP.Net requires that at least the 'Access-Control-Request-Method' and 'Origin' headers be specified for such a request when the CORS middleware is handling it (you have the latter but not the former). Since you're using GET and that is generally considered a "safe" operation, the browser will issue it without pre-flight OPTIONS checks. So I'm guessing the error is stemming from some other issue (i.e. an unhandled exception), and CORS policy on the browser is just masking the issue. I'm not sure the default CORS middleware will include headers on 500 responses.

After Paul point me out the possible error, I did further investigation on my Kestrel logs as below: enter image description here

After I few researchs I could figure out my problem was my certificate. enter image description here

I was using one certificate for each app, instead oh that I should share the Id Server Certificate with others apps.

Tnx Paul,

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.