Asp.net Core, JWT, and CORS Headers

Question

I'm having an issue getting an appropriate Access-Control-Allow-Origin header back from the server when I have both JWT Bearer Authentication and CORS enabled on the same service. When I remove UseJwtBearerAuthentication from the configuration, everything works.

public void ConfigureServices(IServiceCollection services)
    {
        services.AddCors(options =>
        {
            options.AddPolicy("AllowAllOrigins", builder =>
            {
                builder.AllowAnyOrigin();
                builder.AllowAnyHeader();
                builder.AllowAnyMethod();
                builder.AllowCredentials();
            });
        });

        services.AddMvc();
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
    {
        loggerFactory.AddConsole(Configuration.GetSection("Logging"));
        loggerFactory.AddDebug();

        app.UseJwtBearerAuthentication(options =>
        {
            options.AutomaticAuthenticate = true;
            options.RequireHttpsMetadata = false;
            options.Audience = "c2cf422a-a432-2038-b183-cda64e16239e";
            options.Authority = "domain.com";
        });

        app.UseCors("AllowAllOrigins");

        app.UseIISPlatformHandler();

        app.UseMvc();
    }

I've tried to change the ordering for configuration, but nothing seems to work. I also tried adding [EnableCors("AllowAllOrigins")] to the controller I'm calling.

I've changed the config order based on the recommendation in the comments and identified the property causing the issue:

app.UseIISPlatformHandler();

        app.UseCors("AllowAllOrigins");

        app.UseJwtBearerAuthentication(options =>
        {
            options.AutomaticAuthenticate = true;
            options.RequireHttpsMetadata = false;
            options.Audience = "c8cf662a-ac73-4050-b285-cda90e22992e";
            options.Authority = "iwdwk.com";
        });

        app.UseMvc();

In the code above, the line below seems to be causing the issue:

options.AutomaticAuthenticate = true;

Unfortunately, I need to have that enabled so I can pass the JWT token through for authorization... Unless there is another way to do this?

Answer 1

I guess, the OPTIONS call from your browser are getting rejected by authentication since they may not contain the bearer token. I am not sure but there must be a way to skip authentication for OPTIONS call when calling UseJwtBearerAuthentication. If you wish to confirm this before then try calling your endpoint from postman, since it skips the OPTIONS call and see if you get the access control headers for actual GET/POST call

Answer 2

If the server throws and exception they clear the headers and so you'll only see the CORS error. The way I used to see what was actually going on was to first get the Bearer Token out of one of my failed requests using the Chrome dev tools.

Next I copied that token and pasted into Postman as the value for an Authorization header in a request. When I did that I finally received that nice developer exception page that told me exactly what I was doing wrong. Which was that I was using the ClientId GUID Azure AD gives out instead of the App URI.

So if you are using Azure AD then your JWT options should look like:

    app.UseJwtBearerAuthentication(options =>
    {
        options.AutomaticAuthenticate = true;
        options.AutomaticChallenge = true;
        options.Authority = "https://login.microsoftonline.com/yourtenant.onmicrosoft.com"
        options.Audience = "https://yourtenant.onmicrosoft.com/AppURI"
    });