Closed domrin123 closed 8 years ago
@leastprivilege the scope requirement middleware tried to set Acces-Control-Allow-Origin
after the CORS middleware had set it. Any idea why the scope requirement middleware sets it, but only when the requested scope is not found - that is, generates a 403 response?
I can't remember. I think there was a problem with terminating the pipeline with a 403 and not setting the headers (e.g. when they are set in web api).
So maybe we need to check the existence of the header first before we emit it...PR? ;)
Sure I'll do it. Thanks! Do we want to be very defensive and check for existence of all the headers were trying to set? On 30 Jun 2016 16:30, "Dominick Baier" notifications@github.com wrote:
I can't remember. I think there was a problem with terminating the pipeline with a 403 and not setting the headers (e.g. when they are set in web api).
So maybe we need to check the existence of the header first before we emit it...PR? ;)
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/IdentityServer/IdentityServer3.AccessTokenValidation/issues/93#issuecomment-229571586, or mute the thread https://github.com/notifications/unsubscribe/AF0ebz0WFvHJa41otIKhfvO1j2gpDcNLks5qQ2KYgaJpZM4I4dru .
yes
Hi,
I've set up a basic WebApi project according to the guide here https://identityserver.github.io/Documentation/docsv2/overview/jsGettingStarted.html
Token validation works just fine if I pass the correct api scope in the token, but if it is not included (if the user denies access) then it proceeds to add a 403 to the response as expected.
In EmitCorsResponseHeaders (ScopeRequirementMiddleware.cs) it goes to add CORS headers but throws an exception -
Should this be happening or is there something I have missed? app.UseCors(CorsOptions.AllowAll) is set in the startup.cs as specified in the getting started guide.
Thanks