1

Using Identity Server 3 I'm trying to configure CORS as per the documentation. When I perform a GET request, I can see response captured in Fiddler is correct and lacking the Access-Control-Allow-Origin header.

Here is the code used to set up the IdentityServerOptions :

public void Configuration(IAppBuilder app)
{
    var factory = InMemoryFactory.Create(
        clients: Clients.Get(),
        scopes: Scopes.Get());

    var viewOptions = new DefaultViewServiceOptions();
    viewOptions.Stylesheets.Add("/Content/site.css");
    viewOptions.Scripts.Add("/Content/logon.js");
    viewOptions.CacheViews = false;
    factory.ConfigureDefaultViewService(viewOptions);

    // This is where the CORS policy service is configured.
    var corsPolicyService = new DefaultCorsPolicyService();
    corsPolicyService.AllowAll = true;
    factory.CorsPolicyService = new Registration<ICorsPolicyService>(corsPolicyService);

    var userService = new LocalRegistrationUserService();
    factory.UserService = new Registration<IUserService>(resolver => userService);

    var options = new IdentityServerOptions
    {
        SiteName = "IdentityServer",
        SigningCertificate = this.certificateProvider.Certificate,
        Factory = factory,
        RequireSsl = true,

        // This is deprecated, but should still work according to the documentation.
        // However using or not using it makes no change.
        // CorsPolicy = CorsPolicy.AllowAll,

        ProtocolLogoutUrls = logoutUrls,
        AuthenticationOptions = new AuthenticationOptions()
        {
            EnableSignOutPrompt = false,
            EnablePostSignOutAutoRedirect = true,
            PostSignOutAutoRedirectDelay = 5,                     
        },   
    };

    app.Map("/core", idsrvApp =>
    {
        idsrvApp.UseIdentityServer(options);
    });
}

If I then do a simple GET request from a different site, this is the response I get :

HTTP/1.1 302 Found
Content-Length: 0
Location: https://federation.example.com/core/login?signin=2ce0b4f...71313af
Server: Microsoft-IIS/8.5
Set-Cookie: SignInMessage.2ce0b4f...A1D5NkPJQ; path=/core; secure; HttpOnly
X-Powered-By: ASP.NET
Date: Mon, 13 Jul 2015 12:00:00 GMT

Why is the Access-Control-Allow-Origin header not being applied ?

MrDeveloper
  • 1,041
  • 12
  • 35

1 Answers1

0

It appears that the CORS policy service is being set up correctly within Identity Server 3, but the path being requested is explicitly not available via a different server.

The requested path, identified by the errors in the logging tables are :

CORS request made for path: /connect/authorize from origin: null but rejected because invalid CORS path

I believe that this is in here as an extra security measure to prevent malicious systems signing users in without their consent.

The only systems that can call this protected path would therefore be defined within the factory's Client.RedirectUris (for an implicit flow).

MrDeveloper
  • 1,041
  • 12
  • 35
  • I don't have the time available to form a full response, but I can confirm that I am working with IdS3 with no `Access-Control-Allow-Origin` issues. Check out the JSImplicitClient sample in the samples repository for guidance. I have been experiencing `Access-Control-Allow-Methods` issues, but that's not what you asked about. – K. Alan Bates Jul 13 '15 at 15:03