CORS access from AngularJS application

[selganor74]

I'm trying to use Identity Server v2 OAuth2 Resource Owner Flow from from AngularJS app in CORS scenario. The system responds 405 as the OPTIONS method is not allowed in any way in the config, so I tried to add CORS config in Application_Start method as follows

    protected void Application_Start()
    {
        // create empty config database if it not exists
        Database.SetInitializer(new ConfigurationDatabaseInitializer());

        // set the anti CSRF for name (that's a unqiue claim in our system)
        AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name;

        // setup MEF
        SetupCompositionContainer();
        Container.Current.SatisfyImportsOnce(this);

        AreaRegistration.RegisterAllAreas();

        // Cors ?
        CorsConfig.RegisterCors(GlobalConfiguration.Configuration);

        FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters, ConfigurationRepository);
        RouteConfig.RegisterRoutes(RouteTable.Routes, ConfigurationRepository, UserRepository);
        ProtocolConfig.RegisterProtocols(GlobalConfiguration.Configuration, RouteTable.Routes, ConfigurationRepository, UserRepository, RelyingPartyRepository);
        BundleConfig.RegisterBundles(BundleTable.Bundles);
    }

having set up CORS in this way:

namespace Thinktecture.IdentityServer.Web.GL { public class CorsConfig { public static void RegisterCors(HttpConfiguration httpConfig) { WebApiCorsConfiguration corsConfig = new WebApiCorsConfiguration();

        corsConfig.RegisterGlobal(httpConfig);

        corsConfig
            .ForResources("*")
            .ForOrigins("*")
            .AllowMethods("*"); 
    }
}

}

Now the response is a straight 200 without any CORS header so the browser throws an "XMLHttpRequest cannot load ..." because of no CORS headers are returned after the pre-flight OPTIONS request.

I can regularly obtain a token issuing the request via fiddler. Is there anything I can do ?

[brockallen]

And you've disabled webdav? http://brockallen.com/2012/10/18/cors-iis-and-webdav/

[selganor74]

Removed WebDAV module and handler but no luck. When CORS is enabled I get a straight 200, no tracing no clue on where the code is passing through... Any clues ?

[selganor74]

I've managed to obtain a Token in CORS by configuring CORS as explained before (this will allow for OPTIONS Method) and then adding custom headers in the httpProtocol section of system.webserver in web.config. Dirty but working solution ...

   <modules>

   </modules>
    <handlers>

    </handlers>
    <httpProtocol>
        <customHeaders>
            <add name="Access-Control-Allow-Methods" value="*" />
            <add name="Access-Control-Allow-Origin" value="*" />
            <add name="Access-Control-Allow-Headers" value="Authorization, Content-Type" />
        </customHeaders>
    </httpProtocol>

[selganor74]

Maybe ma I missing some CorsEnabling on Token Controllers?

[brockallen]

Did you check the CorsSamples for Thinktecture.IdentityModel.45? You'd have to mimic them in IdentityServer's code:

https://github.com/thinktecture/Thinktecture.IdentityModel.45/tree/master/Samples/CorsSamples

[selganor74]

Ok, I managed to setup according to the samples provided

[selganor74]

thank you!