Identityserver4: CorsPolicyService implementation not being picked up...

Created on 25 Apr 2017 · 17Comments · Source: IdentityServer/IdentityServer4

Issue / Steps to reproduce the problem

public void ConfigureServices(IServiceCollection services)
{
    // Add framework services.
    services.AddMvc();

    services.AddTransient<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>();
    services.AddSingleton<IUserStore, InMemoryUserStore>();
    services.AddSingleton<IClientRepository, ClientRepository>();
    services.AddSingleton<ICorsPolicyService, CustomInMemoryCorsPolicy>();

    services.AddIdentityServer()
        .AddTemporarySigningCredential()
        .AddCustomInMemoryApiResources()
        .AddCustomInMemoryClients();
}

Relevant parts of the log file

dbug: IdentityServer4.CorsPolicyProvider[0]
      CORS request made for path: /connect/authorize from origin: http://localhost:5000 but rejected because invalid CORS path

Relevant implementation: https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/Infrastructure/CorsPolicyProvider.cs

It says in the CorsPolicyProvider that it does:

 var corsPolicyService = _httpContext.HttpContext.RequestServices.GetRequiredService<ICorsPolicyService>();

I have a break point in my implementation:

public class CustomInMemoryCorsPolicy : ICorsPolicyService
    {
        private readonly IClientRepository clientRepository;
        private readonly ILogger logger;

        public CustomInMemoryCorsPolicy(
            IClientRepository clientRepository,
            ILogger logger)
        {
            this.clientRepository = clientRepository;
            this.logger = logger;
        }

        public Task<bool> IsOriginAllowedAsync(string origin)
        {
            var query = this.clientRepository
                            .Clients()
                            .SelectMany(client => client.AllowedCorsOrigins, (client, url) => url.GetOrigin());

            var result = query.Contains(origin, StringComparer.OrdinalIgnoreCase);

            var allowText = result ? "Allowing" : "Not allowing";

            this.logger.LogInformation("{0} {1}", allowText, origin);

            return Task.FromResult(result);
        }
    }

This break point is never hit - the logger never gets called....

The services.AddIdentityServer() calls this builder extension which sets the defaults up...: https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/Configuration/DependencyInjection/BuilderExtensions/Core.cs#L126

I'm not convinced that adding default implementations for everything is the way to go - it seems to confuse DIs..... I found this to be true with StructureMap - but also conceptually speaking.

If you register a bunch of default implementations, then try and override what happens, A) do they get overriden (this is my current problem because it is not happening), B) IMHO there is a problem with what takes priority when you have 2 concrete implementations registering down to the same interface... conceptually speaking this doesn't work.

By the way, I have attempted placing my AddSingleton<ICorsService... before and after the AddIdentityServer

bug

Source

no1melman

All 17 comments

In my Configure method I did this:

    public void Configure(
            IApplicationBuilder app, 
            IHostingEnvironment env, 
            ILoggerFactory loggerFactory, 
            IOptions<IdentityServerAppOptions> identityServerAppOptions, 
            ICorsPolicyService corsPolicyService,
            IEnumerable<ICorsPolicyService> corsPolicyServices)
        {
            loggerFactory.AddConsole(Configuration.GetSection("Logging"));
            loggerFactory.AddDebug();

            var logger = loggerFactory.CreateLogger("startup");
            logger.LogWarning("Using CORS: {0}", identityServerAppOptions.Value.Video.Cors);
            logger.LogWarning("Using Cors Policy Service: {0}", corsPolicyService.GetType().Name);
            corsPolicyServices.Select(x => x.GetType().Name).ToList().ForEach(name => logger.LogWarning("Cors Policy Services Registered: {0}", name));

The log output is:

warn: startup[0]
      Using Cors Policy Service: CustomInMemoryCorsPolicy
warn: startup[0]
      Cors Policy Services Registered: CustomInMemoryCorsPolicy
warn: startup[0]
      Cors Policy Services Registered: CustomInMemoryCorsPolicy

So I can confirm that my PolicyService is correctly registered - however still not getting picked up by the CorsPolicyProvider...

no1melman on 25 Apr 2017

Just ticking things of the list, if I call my own implementation with http://localhost:5000 I get this log output:

warn: startup[0]
      Using CORS: http://localhost:9000, http://localhost:5000
warn: startup[0]
      Use CORs service: CustomInMemoryCorsPolicy
info: CustomInMemoryCorsPolicy[0]
      Allowing http://localhost:5000
warn: startup[0]
      Cors enabled for 5000

no1melman on 25 Apr 2017

After reading about the place - I'm feeling I've not understood how to put this CORS into effect - I assumed you could just implement your own CorsPolicyService and then it would start working. But I feel there maybe more that needs to be done?

I've made sure my client has the cors addresses added to them. So it should be okay on that front!

no1melman on 25 Apr 2017

is this resolved?

leastprivilege on 4 May 2017

No, i can't get it to work at all - following the simple examples in the example project, my own project still throws out a cors error

no1melman on 4 May 2017

This sounds like the issue in Chrome where they add an Origin header on postbacks even though it's not really an ajax call. I'll try to repo when I can.

This error is just a log entry, right? It's not blocking you in any way?

brockallen on 20 Jun 2017

It's blocking because it won't continue the authentication process

no1melman on 20 Jun 2017

👍1

This is also causing problems for myself, trying to implement IdentityServer4 with a JavaScript client and it is stopping us being able to implement it like @no1melman

elmo61 on 27 Jun 2017

I too am unable to implement a JavaScript client because of this bug. The Quickstart7_JavaScriptClient solution fails in Chrome, Firefox and IE.
Firefox gives the following message:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:5000/.well-known/openid-configuration. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

slogmaverick on 6 Jul 2017

Has there been any more progress on this? I too have hit this issue today implementing the ICorsPolicyService and adding as a singleton.

RowSolAdmin on 1 Aug 2017

Ok, I tracked this down -- AddInMemoryClients adds our in-memory InMemoryCorsPolicyService, overwriting your ICorsPolicyService. We should check that this has not already been added to DI and only register ours if you don't have one.

brockallen on 6 Aug 2017

As a workaround, you can register yours after your register IdentityServer in DI.

brockallen on 6 Aug 2017

Fixed for 2.0.

brockallen on 6 Aug 2017

👍1

Have you done this for all custom services you add to the DI? To make it consistent behaviour?

no1melman on 7 Aug 2017

Most already were. This one was special since it's the in-mem clients.

brockallen on 7 Aug 2017

Ahh okay, cool - looking forward to it!

no1melman on 7 Aug 2017

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] on 14 Jan 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Self-signed certificate

krgm03 · 3Comments

Claims in HttpContext.User

user1336 · 3Comments

Change AddFilteredClaims to AddClaims on the ProfileContext

brockallen · 3Comments

Difference between Client Scopes and Client Claims

leksim · 3Comments

Receiving error: Method 'FindIdentityResourcesByScopeNameAsync' does not have an implementation

not-good-with-usernames · 3Comments