search

IdentityServer / IdentityServer3.AccessTokenValidation

OWIN Middleware to validate access tokens from IdentityServer3
Apache License 2.0
91 stars 149 forks source link

Exception in EmitCorsResponseHeaders after insufficient scope in access token #93

Closed domrin123 closed 8 years ago

domrin123 commented 8 years ago

Hi,

I've set up a basic WebApi project according to the guide here https://identityserver.github.io/Documentation/docsv2/overview/jsGettingStarted.html

Token validation works just fine if I pass the correct api scope in the token, but if it is not included (if the user denies access) then it proceeds to add a 403 to the response as expected.

In EmitCorsResponseHeaders (ScopeRequirementMiddleware.cs) it goes to add CORS headers but throws an exception -

[ArgumentException: The key 'Access-Control-Allow-Origin' is already present in the dictionary.] Microsoft.Owin.Host.SystemWeb.CallHeaders.AspNetResponseHeaders.Add(String key, String[] value) +178 IdentityServer3.AccessTokenValidation.ScopeRequirementMiddleware.EmitCorsResponseHeaders(IDictionary`2 env) in c:\local\identity\server3\AccessTokenValidation\source\AccessTokenValidation\Plumbing\ScopeRequirementMiddleware.cs:97

Should this be happening or is there something I have missed? app.UseCors(CorsOptions.AllowAll) is set in the startup.cs as specified in the getting started guide.

Thanks

mderriey commented 8 years ago

@leastprivilege the scope requirement middleware tried to set Acces-Control-Allow-Origin after the CORS middleware had set it. Any idea why the scope requirement middleware sets it, but only when the requested scope is not found - that is, generates a 403 response?

leastprivilege commented 8 years ago

I can't remember. I think there was a problem with terminating the pipeline with a 403 and not setting the headers (e.g. when they are set in web api).

So maybe we need to check the existence of the header first before we emit it...PR? ;)

mderriey commented 8 years ago

Sure I'll do it. Thanks! Do we want to be very defensive and check for existence of all the headers were trying to set? On 30 Jun 2016 16:30, "Dominick Baier" notifications@github.com wrote:

I can't remember. I think there was a problem with terminating the pipeline with a 403 and not setting the headers (e.g. when they are set in web api).

So maybe we need to check the existence of the header first before we emit it...PR? ;)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/IdentityServer/IdentityServer3.AccessTokenValidation/issues/93#issuecomment-229571586, or mute the thread https://github.com/notifications/unsubscribe/AF0ebz0WFvHJa41otIKhfvO1j2gpDcNLks5qQ2KYgaJpZM4I4dru .

leastprivilege commented 8 years ago

yes