Openiddict-core: OPTIONS requets returns 400 error while adding openiddict to asp.net core api

Created on 12 Jun 2017  路  7Comments  路  Source: openiddict/openiddict-core

hi
Do I need to enable cors on OpenIddict separately? because I thought adding the following codes will handle the cors but as soon as Chrome want to send an options request, my app returns 400!

services.AddCors();
and
app.UseCors(builder => builder.AllowAnyHeader() .AllowAnyMethod() .AllowAnyOrigin() );

I dont know If i need to add something else or not!

the configuration of openiddict is exactly as same as what I read from the wiki section if this project on github. and the project specifications are mentioned below

ASP.net Core v1.1
Client side : SPA Angularjs App using JWT Token

any help ?

question

Most helpful comment

Do I need to enable cors on OpenIddict separately?

You do.

Here is the configuration of openIdDict , it may help

You must register the CORS middleware before OpenIddict.

Don't forget to update your CORS policy to use specific origins (AllowAnyOrigin is not safe).

All 7 comments

Here is the configuration of openIdDict , it may help

    public void ConfigureServices(IServiceCollection services)
    {

        services.Configure<ApplicationSettings>(x => Configuration.GetSection("AppSettings").Bind(x));

        services.AddDbContext<AroosiDbContext>(options =>
        {
            options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"), b => b.MigrationsAssembly("Aroosi.Api"));
            options.UseOpenIddict();
        });

        services.AddIdentity<User, IdentityRole>()
            .AddEntityFrameworkStores<AroosiDbContext>()
            .AddDefaultTokenProviders();

        // services.Configure<IdentityOptions>(options =>
        // {
        //     options.ClaimsIdentity.UserNameClaimType = OpenIdConnectConstants.Claims.Name;
        //     options.ClaimsIdentity.UserIdClaimType = OpenIdConnectConstants.Claims.Subject;
        //     options.ClaimsIdentity.RoleClaimType = OpenIdConnectConstants.Claims.Role;
        // });

        // Register the OpenIddict services.
        services.AddOpenIddict(options =>
        {
            options.AddEntityFrameworkCoreStores<AroosiDbContext>();
            options.AddMvcBinders();
            options.EnableAuthorizationEndpoint("/connect/authorize")
                .EnableTokenEndpoint("/connect/token");
            options.AllowPasswordFlow();
            options.DisableHttpsRequirement();
            options.UseJsonWebTokens();
            options.AddEphemeralSigningKey();
        });

        services.AddMvcCore().AddJsonFormatters().AddJsonOptions(opts =>
        {
            opts.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver();
        });

        services.AddCors();         
    }


    public async void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, SeedData SeedData, UserManager<User> _userManager)
    {
        loggerFactory.AddConsole(Configuration.GetSection("Logging"));
        loggerFactory.AddDebug();

        app.UseIdentity();

        app.UseOAuthValidation();

        app.UseOpenIddict();

        app.UseMvc();

        app.UseCors(builder =>                
            builder.AllowAnyHeader()
                    .AllowAnyMethod()
                    .AllowAnyOrigin()
        );



        //InitializeAsync(app.ApplicationServices, CancellationToken.None).GetAwaiter().GetResult();
        //app.UseMvcWithDefaultRoute();            
    }

Do I need to enable cors on OpenIddict separately?

You do.

Here is the configuration of openIdDict , it may help

You must register the CORS middleware before OpenIddict.

Don't forget to update your CORS policy to use specific origins (AllowAnyOrigin is not safe).

WOW thanks a lot, by registering the Cors before OpenIddict the problem solved really easy, thank you man. you saved my day

Glad it worked :smile:

Can I ask something else here ?! or I should create a new issue? now even if I don't send the JWT Bearer token in my request, the Authorize attribute won't deny it! (using postman) . Seems there is a logged in user already which allow the postman to fetch data from Authorize marked action without any token

@Foroughi do you use AddMvcCore()?

@PinpointTownes sorry for late responding , yes i used to which changing it to AddMVC fixed my issue

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Typiqally picture Typiqally  路  4Comments

biapar picture biapar  路  5Comments

xperiandri picture xperiandri  路  4Comments

Belaroth picture Belaroth  路  4Comments

levitatejay picture levitatejay  路  3Comments