2

hi i am facing a weird problem , CORS is working for all other functions except for one with [authorize] attribute. i am using openiddict for authorization with JWTmiddleware. Server is hosted on IIS8 and client application is in angular2. It displays following error.

XMLHttpRequest cannot load example.com/resource. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:58056' is therefore not allowed access.

Let me know if you want to see any specific code or need more information on it.

 app.UseStaticFiles();
            loggerFactory.AddConsole(Configuration.GetSection("Logging"));
            loggerFactory.AddDebug();
            loggerFactory.AddConsole();
            app.UseIdentity();
            app.UseSession();
            app.UseGoogleAuthentication(new GoogleOptions
            {
                ClientId = "862227465575-q1spfclcfvflg4tpesfkle4e0jc3q987.apps.googleusercontent.com",
                ClientSecret = "ozzg2VvH2TYbSbBYWE_HIYG5"

            });

            app.UseTwitterAuthentication(new TwitterOptions
            {
                ConsumerKey = "6XaCTaLbMqfj6ww3zvZ5g",
                ConsumerSecret = "Il2eFzGIrYhz6BWjYhVXBPQSfZuS4xoHpSSyD9PI"
            });
            app.UseCors("AllowSpecificOrigin");
            app.UseJwtBearerAuthentication(new JwtBearerOptions
            {
                AutomaticAuthenticate = true,
                AutomaticChallenge = true,
               RequireHttpsMetadata = false
            });
            app.UseOpenIddict();
            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Home}/{action=Index}/{id?}");
                routes.MapRoute(
                    name: "spa-fallback",
                    template: "{*url}",
                    defaults: new { controller = "Home", action = "Index" });
            });

Exception

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10 501: Signature validation failed. Unable to match 'kid': '7FG4SQ4TIATESTLI-ZDHTL RYPWIEDU_RA1FVG91D', token: '{"alg":"RS256","typ":"JWT","kid":"7FG4SQ4TIATESTLI-ZDHTLRYPWIEDU_RA1FVG9 1D"}

noobProgrammer
  • 2,884
  • 3
  • 17
  • 20
  • Your `Configure` method would be useful, especially if Cors middleware is registered **before** or **after** the Authorization middleware. Alternatively check this answer http://stackoverflow.com/a/37141865/455493 and make sure if the authentication middleware is throwing any exceptions – Tseng Jun 26 '16 at 17:14
  • hi thanks , it has nothing to do with cors specially but jwtmiddleware , i am still facing the issue when i add audience it shows above error or doesnt authenticate , i will update once i figure out whats really happening – noobProgrammer Jun 26 '16 at 18:29
  • Maybe typo or wrong configured Audience. When the audience is wrong, an exception is thrown, which may trigger the described behaviour – Tseng Jun 26 '16 at 20:02
  • i added configure method to the question adn in policy everything is allowed – noobProgrammer Jun 26 '16 at 20:18
  • @Tseng check the exception i added to question at bottom , any hint will be appreciated – noobProgrammer Jun 27 '16 at 05:03
  • @Tseng it works if i set RequireSignedTokens=false but i dont know why? can you suggest any resource? – noobProgrammer Jun 27 '16 at 20:39
  • Probably best not to include your keys and secrets to the authentication providers you're using. – Brad Jun 28 '16 at 13:08
  • keys and secrets in the token? i am not just providing audience – noobProgrammer Jun 28 '16 at 18:39

0 Answers0