/.well-known/openid-configuration cache-control #275
Comments
If the metadata document does not support CORS, then you can set the data in manually on the settings. Check the wiki for more info. |
Using AADv2.0 I couldn't find how to fix CORS so I got it working by passing this settings object to the UserManager:
I guess the important thing is to pass the metadata to prevent retrieving the well-known/openid-configuration and |
Yep, that's what you need to do if there's no CORS on metdata endpoint. |
The metadata document does support CORS, but i dont think is a CORS problem. if i disable cache in chrome, or hit refresh (with cache on) everything is ok |
Hmm, that sounds like a browser oddity... or maybe vary-by-origin should be added to the metadata document response. In fact, I think I saw an issue on the ASP.NET Core issue tracker about that exact issue: aspnet/CORS#97 |
so do you think its bad to have a cache control header in oidc request for openid-configuration |
No, I don't think it's bad. You just also need a vary by origin response header. |
@lghinet have u fixed it? |
nope, |
Hi, I am having the same problem. Any suggestions on a fix? Thanks |
In the Configure method, make sure that app.UseIdentityServer(); comes AFTER app.UseCors() E.g.
|
I know this is closed, but wanted to mention a related issue I'm having. if It's comparing https://login.microsoftonline.com/067e9632-ea4c-4ed9-9e6d-e294956e284b/v2.0 with https://login.microsoftonline.com/common/v2.0. Did you find a way to get around this issue? If you know the |
Yes, that's a non-spec compliant discovery document tha azure invented for multi-tenancy. |
@brockallen Thanks, got it now. I can work around it, but kind of a pain that there isn't a standard approach for this. |
You can thanks the folks at Microsoft for doing this in a non-spec compliant way. Different token servers solve this in different ways. |
Issue
Hello,
the problem i have is when a users goes from the main domain.com (dashboard) to pay.domain.com, which is another application, then hits the back button of the browser and comes back to the root domain, dashboard, (domain.com) and tries to get the well-known/openid-configuration again from sso, but is serverd from cache, from the subdomain app.
there is no cache control headers set on request . I use oidc client on both
Relevant parts of the log file
The text was updated successfully, but these errors were encountered: