InMemoryCorsPolicyService - rejected because invalid CORS path #1697
Comments
Oh this might be related to the chrome issue -- search the archives. Chrome makes a normal request look like a CORS request (for some reason). We fixed this I think in 2.0.0 (I don't recall which version). |
Unfortunately it's an issue across browsers. On IE I get the following error instead: SCRIPT7002: XMLHttpRequest: Network Error 0x4c7, The operation was canceled by the user. |
Ok, this is different. Why are you making an ajax call to the authorize endpoint? |
We aren't explicitly calling the authorize endpoint but the ApiController's are decorated with the [Authorize] attribute so the framework must be initiating the call for us after the 3 minute window for some reason next time the user hits the API through AJAX. |
Oh, sounds like you're making an API call to your own app, the OIDC middleware is kicking in and triggering a 302 to IdSvr's login process (which starts at the authorize endpoint). The short answer is that your API controllers should be issuing a 401 on failed authorization. |
The user is actually authorized at the point when the issue occurs. They can still click around pages under the management of Controller's decorated with the [Authorize] attribute, just not ApiController's for some reason after 3 minutes of inactivity. So we shouldn't need to issue a 401? Or am I misunderstanding the mechanics of the 401 in this case? We're seeing these messages logged by IdentityServer3: 2015-08-10 16:42 Warning CORS request made for path: /connect/authorize from origin: http://test.myapp.com but rejected because invalid CORS path |
Right -- cookies are used to authenticate to your MVC code, but access tokens are used to authenticate to your Web APIs -- at least that's how it's typically done. I don't know how your stuff is setup, or how you're trying to protect your app, but I am 99% sure that the CORS error is a red herring for whatever the real issue is. |
It does appear I'm just using cookies: app.UseCookieAuthentication(new CookieAuthenticationOptions I'll investigate tokens now. I just assumed the cookies would be shared across both types of controllers. Thank you for your time looking into this. I my be a little while responding now as entering new territory. |
Do you mind scanning your eyes over the my client configuration in case I'm making a noob mistake somewhere (still learning this stuff)? I've added UseIdentityServerBearerTokenAuthentication alongside UseCookieAuthentication, so hopefully this is what's required to use tokens as well as cookies? ...
|
Cookies suffer from XSRF security issues with Web API controllers, so using a token in the authorization header prevents that attack. That's why OIDC is such an important protocol. |
As for the code, your API will still accept the cookie with the config you used. Look into why Web API provides the SuppressDefaultHostAuthentication API call - understanding that will help you understand the right way to do it. |
For others coming across this:
|
I'm trying to enable CORS for clients, but if users wait more than 3 mins before triggering an AJAX call they are getting a "CORS request made for path: /connect/authorize from origin: http://test.myapp.com but rejected because invalid CORS path" error logged.
I'm using a InMemoryCorsPolicyService, but perhaps I'm calling it incorrectly?
I've provided a lot of detail on Stack Overflow before thinking to ask here. I copy the detail here if it would help.
http://stackoverflow.com/questions/31912105/identityserver3-rejected-because-invalid-cors-path
Thank you in advance for any insights you might be able to provide.
The text was updated successfully, but these errors were encountered: