Identityserver4: "Invalid Client" after upgrade from 2.3.2 to 2.5.0: Invalid AllowedCorsOrigin
It appears that the validation for Client Configuration is more strict than it was before. I ended up getting this error in my IDS logs:
2019-07-12 09:33:58.5361||ERROR|IdentityServer4.Stores.ValidatingClientStore|Invalid client configuration for client [REDACTED]: AllowedCorsOrigins contains invalid origin: https://[redacted]
This had been working previously. The fault is with my own bad data; however, IDS is now failing any token requests for this client that had previously been working.
Don't know if this should be considered a breaking change or not, but I thought its something others may run into as well given that IDS was previously more forgiving.
fuzzzerd
All 14 comments
Is it because there is a path in your origin?
brockallen
on 12 Jul 2019
Yes. That was the problem. I had some bad data (a full url), but the validator used to allow and ignore it.
fuzzzerd
on 12 Jul 2019
I'm using a custom IClientStore and I've cleaned up my data and am now checking up-stream before including an invalid origin in the first place.
I don't feel there's an action item/bug related to this, just wanted to raise awareness for others that might encounter this issue.
fuzzzerd
on 12 Jul 2019
Yep, no worries. It's something we should have had in there, and I added it recently when I saw that people were putting real URLs and not proper origins in there. IIRC, that causes the MSFT CORS Plumbing to crap out, so we were trying to help. Thanks again.
brockallen
on 13 Jul 2019
Is it possible to disable this validation a setting somewhere? We're (ab)using AllowedCorsOrigins to have something like this in there: "https://{environment}app.domain.com" so that we don't have to specify each environment with every client we have. We've made our own implementation of the ICorsPolicyService to replace {environment} with the environments we have. We've also got this in place with RedirectUris and PostLogoutRedirectUris by the way...
Zenuka
on 22 Jul 2019
ValidateAllowedCorsOriginsAsync is virtual, so you can override and do what you'd prefer.
brockallen
on 22 Jul 2019
Thanks! I've actually changed my placeholder to _env_ so that I didn't have to disable the validation. (in case anyone else lands on this "issue")
Zenuka
on 23 Jul 2019
hey @brockallen
how is it possible to add an allowed cors origin for a custom file protocol schema inside an electron app, f.e. {companyname}://web with the implicit flow??? or is this only possible with a custom cors policy validator???
thanks :-)
SebastianRuecker
on 31 Jul 2019
hey @brockallen
This update broke custom scheme urls. (Ex: "capacitor://localhost", "ionic://localhost"). Ionic app in ios or android shows page in those urls.
According to oauth rfc 6749 section 3.1.2 custom schemes are allowed.
I have created new issue #3535
pavinan
on 12 Aug 2019
I just upgraded to 2.5.2 and I have the same error:
Invalid client configuration for client x_client: AllowedCorsOrigins contains invalid origin: http://localhost:5100/
What should I add in the AllowedCorsOrigins?
The documentation specifies:
AllowedCorsOrigins = { "http://localhost:7017" },
EDIT:
Hmm, nevermind, I figured out.
bdaniel7
on 16 Aug 2019
I'm getting this with nativescript plugin, the origin seems to be file://* and was working before
nmocruz
on 27 Nov 2019
Yes -- I'm going to look into this when I get time next month.
brockallen
on 27 Nov 2019
I think this has been fixed via: #3880. Please re-test.
brockallen
on 11 Dec 2019
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 10 Jan 2020
Related issues
not-good-with-usernames
路
3Comments
agilenut
路
3Comments
user1336
路
3Comments
mackie1001
路
3Comments
garymacpherson
路
3Comments