跨源请求被阻止:CORS标头'Access-Control-Allow-Origin'丢失

时间:2015-07-13 13:09:49

标签: c# asp.net-mvc cors thinktecture-ident-server identityserver3

使用Identity Server 3我正在尝试按照documentation配置CORS。当我执行GET请求时,我可以看到在Fiddler中捕获的响应是正确的,并且缺少Access-Control-Allow-Origin标头。

以下是用于设置IdentityServerOptions的代码:

public void Configuration(IAppBuilder app)
{
    var factory = InMemoryFactory.Create(
        clients: Clients.Get(),
        scopes: Scopes.Get());

    var viewOptions = new DefaultViewServiceOptions();
    viewOptions.Stylesheets.Add("/Content/site.css");
    viewOptions.Scripts.Add("/Content/logon.js");
    viewOptions.CacheViews = false;
    factory.ConfigureDefaultViewService(viewOptions);

    // This is where the CORS policy service is configured.
    var corsPolicyService = new DefaultCorsPolicyService();
    corsPolicyService.AllowAll = true;
    factory.CorsPolicyService = new Registration<ICorsPolicyService>(corsPolicyService);

    var userService = new LocalRegistrationUserService();
    factory.UserService = new Registration<IUserService>(resolver => userService);

    var options = new IdentityServerOptions
    {
        SiteName = "IdentityServer",
        SigningCertificate = this.certificateProvider.Certificate,
        Factory = factory,
        RequireSsl = true,

        // This is deprecated, but should still work according to the documentation.
        // However using or not using it makes no change.
        // CorsPolicy = CorsPolicy.AllowAll,

        ProtocolLogoutUrls = logoutUrls,
        AuthenticationOptions = new AuthenticationOptions()
        {
            EnableSignOutPrompt = false,
            EnablePostSignOutAutoRedirect = true,
            PostSignOutAutoRedirectDelay = 5,                     
        },   
    };

    app.Map("/core", idsrvApp =>
    {
        idsrvApp.UseIdentityServer(options);
    });
}

如果我从其他网站做一个简单的GET请求,这就是我得到的回复:

HTTP/1.1 302 Found
Content-Length: 0
Location: https://federation.example.com/core/login?signin=2ce0b4f...71313af
Server: Microsoft-IIS/8.5
Set-Cookie: SignInMessage.2ce0b4f...A1D5NkPJQ; path=/core; secure; HttpOnly
X-Powered-By: ASP.NET
Date: Mon, 13 Jul 2015 12:00:00 GMT

为什么没有应用Access-Control-Allow-Origin标头?

1 个答案:

答案 0 :(得分:0)

似乎在Identity Server 3中正确设置了CORS策略服务,但是通过其他服务器显式不可用所请求的路径。

由日志记录表中的错误标识的请求路径为:

  

对路径的CORS请求:/ connect / authorize from origin:null但是因为无效的CORS路径而被拒绝

我认为这是一项额外的安全措施,可以防止恶意系统在未经用户同意的情况下对用户进行签名。

因此,可以在工厂的<style> body > #canvas { position: fixed; visibility: hidden; } </style> 内定义可以调用此受保护路径的唯一系统(对于隐式流程)。

相关问题
最新问题