-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSAL.JS Azure AD - CORS - No 'Access-Control-Allow-Origin' header is present on the requested resource. #1117
Comments
Thanks for reaching out |
Hello Dary, Jason, Now i can access the web api. I still don't understand one thing. What is the following value: Could you please clarify me what to put in this field and if i put it null does that change anything in my case ? Best regards, |
Hello After more investigation it seems that i still have the CORS issue even if i added proctectedResourceMap. Any help ? |
@emadalsous Are you using the ADAL.net Identity Model extensions? https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet The url you provided appears to have been generated from that library, not from Strings that look like |
Hello, Thanks for the answer. I am using : Microsoft.AspNetCore.Authentication.AzureAD.UI to secure my Web API : The web api is hosted in different domain than the website. Effectively, the url i put here was token from an example. The url i used was exposed from custom expose api (unique-value): Below you find how did i configure my app: Thanks in advance, |
Hello Jason, I found the reason behind this error. It's my bad. Our Web API was configured correctly. Using the following code to enable the authentication cause the problem: It seems not to validate correctly the token passed from the SPA page. So i had to use the code below to activate the authentication correctly: Now the issue has been resolved. In my case the user was sending a token which wasn't validated so the web api redirect to login page of microsoft so the error CORS error occurs. We can close this issue Best regards, |
Hi @emadalsous, @jasonnutter, I've got similar setup, where I have a web api and angular client which are on 2 web apps with different domains. I'm using MSAL library and am getting CORS errors specifically "No 'Access-Control-Allow-Origin' header is present on the requested resource". I can't find any clear documentation that shows an example of how I need to set this up both on the server and the client. Did you end up needing protectedResourceMap? And if so what values do you put in the keys as well as the values? |
@liben-y It sounds like your server is not setup to accept CORS requests. I would consult the documentation of the web server framework you are using to find out how to enable that so the server can accept CORS requests from the Angular app's domain. |
Hello @liben-y , First you should make sure that your web api accept CORS request. This can be done on the startup file. MSAL need protectedResourceMap if you want to make CORS calls. The key will be the url of the protected resource (for example: if you want to call https://www.apidomain.net/youcontrollerpath or the root path of your web api to enable it on the api level). The value needs to be defined on you Azure AD app registration in expose API section. See the following article to achieve this. string[]][]=[ ['https://localhost:44521/EndPoint',['here is you created scope to access the web api']]]; MSAL send scopes to Azure AD authentication to tell it which resources the user tries to access. I hope this can help you. Best regards, |
Sorry for the late response, I then realized that the examples I was using updated and so did the msal libraries. The issue I had when setting up CORS is, I needed to both set
as well as
previously I was setting up CORS from app.UseCors
needed to provide 2 configurations, one of which contains the protectedResourceMap Since I'm reading the values from config which I substitute values for during releases, I'm providing it via the following: Works locally with the above, will see what happens when I deploy. |
I'm submitting a...
Browser:
Library version
Current behavior
I am trying to authenticate to my web API which is hosted on App Service from another web app hosted on different domain and also hosted on app service. when i do a call the MsalInterceptor tries to log me in and then i get the error below on the browser
Access to XMLHttpRequest at 'https://login.microsoftonline.com/tenant_id/oauth2/v2.0/authorize?client_id=&redirect_uri=signin-oidc&response_type=id_token&scope=openid%20profile&response_mode=form_post&nonce=6370sdfj&state=sdfsdfds-sdfsdfsdf-sd-sdfsdf-T3qwNWW2jRHM&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0' (redirected from 'web api call') from origin 'null' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Expected behavior
The cors is enabled on my web api as i am able to make api calls without authentication. The issue appears only when i am authenticated. Could you please help me to figure it out ?
Minimal reproduction of the problem with instructions
The text was updated successfully, but these errors were encountered: