How to make CORS Authentication in WebAPI 2?

Question

The scenario is simple, I need to log in from another server (different from the API server) to retrieve the access token.

I installed Microsoft.Owin.Cors package on the API Server. In Startup.Auth.cs file, under public void ConfigureAuth(IAppBuilder app), I added in

app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll); 

In WebApiConfig.cs, under public static void Register(HttpConfiguration config), I added in these lines:

// Cors var cors = new EnableCorsAttribute("*", "*", "GET, POST, OPTIONS"); config.EnableCors(cors); 

What else should I change?

Answer 1

Look at what I have found!

Add in some custom headers inside <system.webServer>.

<httpProtocol>   <customHeaders>     <add name="Access-Control-Allow-Origin" value="*" />     <add name="Access-Control-Allow-Methods" value="GET, POST, OPTIONS, PUT, DELETE" />   </customHeaders> </httpProtocol> 

Then I can do the CORS authentication.

Answer 2

I had many trial-and-errors to setup it for AngularJS-based web client.
For me, below approaches works with ASP.NET WebApi 2.2 and OAuth-based service.

1. Install Microsoft.AspNet.WebApi.Cors nuget package.
2. Install Microsoft.Owin.Cors nuget package.
3. Add config.EnableCors(new EnableCorsAttribute("*", "*", "GET, POST, OPTIONS, PUT, DELETE")); to the above of WebApiConfig.Register(config); line at Startup.cs file.
4. Add app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll); to the Startup.Auth.cs file. This must be done prior to calling IAppBuilder.UseWebApi
5. Remove any xml settings what Blaise did.

I found many setup variations and combinations at here stackoverflow or blog articles. So, Blaise's approach may or may not be wrong. It's just another settings I think.