What is the correct way to setup CORS with ASP.NET Core and Aurelia (with http-fetch-client), with Windows authentication enabled?

Question

Making a CORS request with ASP.NET Core and Aurelia http-fetch-client does not work correctly when Windows (NTLM) authentication is enabled. The setup is as follows:

Static files are hosted on http://localhost:50927/

API is hosted on http://localhost:50928/

The Aurelia HTTP fetch client has been configured to use the API port:

this.client = new HttpClient();
this.client.configure((config: any) => {
    config.withBaseUrl('http://localhost:50928/api/')
}

The ASP.NET Core API server has been configured to use CORS in Startup.cs

app.UseCors(builder => builder
    .AllowAnyOrigin()
    .AllowAnyMethod()
    .AllowAnyHeader()
    .AllowCredentials());

However, when Windows authentication is enabled, requests to the API fail and the web browser console shows the following

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the  remote resource at http://localhost:50928/api/sifiri/get-all-reports. (Reason: CORS header 'Access-Control-Allow-Origin' missing).[Learn More]

If Windows authentication is disabled and only anonymous authentication enabled the CORS request works fine. Are there any solutions to this? All the right settings seem to be enabled, unless I've missed something

Edit: after disabling "Just my code", a related exception is shown in the console:

Exception thrown: 'System.Net.Sockets.SocketException' in Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.dll
Exception thrown: 'System.Net.Sockets.SocketException' in System.Private.CoreLib.dll
Exception thrown: 'System.IO.IOException' in System.Net.Sockets.dll
Exception thrown: 'System.IO.IOException' in System.Private.CoreLib.dll
Exception thrown: 'System.Threading.Tasks.TaskCanceledException' in System.Net.Http.dll
Exception thrown: 'System.Threading.Tasks.TaskCanceledException' in System.Private.CoreLib.dll
Exception thrown: 'System.ObjectDisposedException' in System.Net.Sockets.dll
Exception thrown: 'System.ObjectDisposedException' in System.Private.CoreLib.dll
Exception thrown: 'System.ObjectDisposedException' in System.Private.CoreLib.dll

No more information is given

Are you having an exception in your code? Exception middleware clears previously set CORS headers. And of course, in which order is the CORs middleware registered? Before MVC after it? At the beginning? — Tseng, Nov 12 '18 at 14:34
I didn't think so, but after disabling "Just my code" it seems that an exception is getting thrown. I'll add this to the post — Joshun, Nov 12 '18 at 14:38
Well you'l see in the console or debug window if an (uncaught)exception is being logged or not — Tseng, Nov 12 '18 at 14:39

score 1 · Accepted Answer · answered Nov 13 '18 at 10:52

You just need to include the credentials and mode while you are making the fetch call. This should look something like below:

this.client
    .fetch(apiUrl, {
        mode: "cors",
        credentials: "include",
        ...
    })

With this, you are basically asking the browser to include user credentials with the fetch request. And, that should suffice, given you have configured CORS on service to include client origin/header/method etc.

Hope it helps.

Thanks that works, didn't expect it to be something that simple — Joshun, Nov 14 '18 at 09:32

What is the correct way to setup CORS with ASP.NET Core and Aurelia (with http-fetch-client), with Windows authentication enabled?

1 Answers1