Identityserver4: Updating IdSvr to ASP.NET Core 2.2 preview 3 breaks CORS for Firefox
Issue / Steps to reproduce the problem
Update the Javascript client quickstart so that IdentityServer is built and runs against .Net Core 2.2 preview 3 (2.2.0-preview3-35497).
When the JavaScript client makes a CORS preflight request (to /connect/userinfo) the response containts
Access-Control-Allow-Headers: * rather than Access-Control-Allow-Headers: authorization (the behaviour under .NET Core 2.0)
For Chrome and Edge, this isn't a problem. The CORS requests work as expected.
In Firefox the CORS preflight response blocks the browser with the following console messages
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:5000/connect/userinfo. (Reason: missing token ‘authorization’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel).[Learn More]
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:5000/connect/userinfo. (Reason: CORS request did not succeed).[Learn More]
Wildcard allow-headers responses still aren't supported in Firefox apparently, as per: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers#Compatibility_notes
(for reference, I'm using FF dev edition, v64)
rbanks54
All 13 comments
This sounds like a more general issue for ASP.NET Core. Can you open an issue with them?
brockallen
on 19 Oct 2018
Looks like there's a breaking change in CORS behaviour - https://github.com/aspnet/AspNetCore/issues/3106
Waiting for a response to see if this means a change is needed here, or if the ASP.NET team will revert or adjust their changes
rbanks54
on 25 Oct 2018
Ran into the same problem yesterday. oidc-client-js fails on Firefox because of CORS on userinfo
leastprivilege
on 25 Oct 2018
So I guess they have sorted it out?
brockallen
on 27 Oct 2018
no
leastprivilege
on 27 Oct 2018
Microsoft says they made a commit which closed the issue. It's not fixed then?
brockallen
on 28 Oct 2018
Not in Preview3 at least.
leastprivilege
on 28 Oct 2018
They'll need to release the next preview before we can test it or we could build the runtime ourselves and try it. I'm happy to wait for the next preview myself, but I'm lazy like that.
EDIT: D'Oh! Brain fade. I forgot about the daily builds... I'll try with one those and see if it works. Might take 24 hours or so though before I can get to it though.
rbanks54
on 29 Oct 2018
I'm struggling to get the .NET Core SDK nightly builds working on my machine to see if this is now resolved (I'm getting some nuget package issues). I'll try again in a few days.
rbanks54
on 31 Oct 2018
Hooray for yak shaving! My Nuget packages issue was related to this problem https://github.com/NuGet/Home/issues/7414.
Anyway, once that was worked around, I grabbed the latest nightly build (2.2.100-rtm-009571 for reference) and retested the quickstart sample again. Good news! It's all working as expected 😄
I'm not sure if you want to close this now or if we should wait until the next preview is publicly released. I'll leave that up to you.
rbanks54
on 1 Nov 2018
Thanks for the investigation @rbanks54. I guess I'll leave it open to remind myself to re-test once it's released. Thanks.
brockallen
on 1 Nov 2018
Now that the stable .NET Core 2.2.0 release is out, I've just retested it. Everything seems to be working as expected.
Closing this issue to save you the hassle 🙂
rbanks54
on 4 Dec 2018
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 12 Jan 2020
Related issues
not-good-with-usernames
·
3Comments
agilenut
·
3Comments
leastprivilege
·
3Comments
nukec
·
3Comments
klioqc
·
3Comments
Most helpful comment
Thanks for the investigation @rbanks54. I guess I'll leave it open to remind myself to re-test once it's released. Thanks.