使用Azure Active Directory对.NET Core 2.2 API进行身份验证时出现CORS错误

本文介绍了使用Azure Active Directory对.NET Core 2.2 API进行身份验证时出现CORS错误的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在尝试使用AzureAD在一个网页上设置多租户OpenID身份验证，该网页基于来自Visual Studio 2019的Basic.NET Core 2.2+Reaction项目模板。Core2.2因为3.0上的身份验证中间件根本不会在任何配置下触发，这似乎是一个常见的问题，有关Core3.x身份验证的文档很少，有时甚至相互矛盾。我想我什么都试过了，现在不知所措。

这里，当调用API时，根据服务器输出，身份验证中间件似乎正确生效：

From javascript: // Tried also without custom headers and trying to make the middleware handle the thing by itself fetch('api/SampleData/WeatherForecasts', { method: "get", headers: new Headers({ "Access-Control-Allow-Origin": "*", "Access-Control-Allow-Headers": "true" }) }) Server output: info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1] Request starting HTTP/1.1 GET localhost:44363/api/SampleData/WeatherForecasts info: Microsoft.AspNetCore.Routing.EndpointMiddleware[0] Executing endpoint '********.Controllers.SampleDataController.WeatherForecasts (******)' info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[3] Route matched with {action = "WeatherForecasts", controller = "SampleData", area = "", page = ""}. Executing controller action with signature System.Collections.Generic.IEnumerable`1[******.Controllers.SampleDataController+WeatherForecast] WeatherForecasts() on controller ******.Controllers.SampleDataController (*********). info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2] Authorization failed. info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[3] Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'. info: Microsoft.AspNetCore.Mvc.ChallengeResult[1] Executing ChallengeResult with authentication schemes (). info: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[12] AuthenticationScheme: AzureADOpenID was challenged. info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2] Executed action *****.Controllers.SampleDataController.WeatherForecasts (*******) in 439.0343ms info: Microsoft.AspNetCore.Routing.EndpointMiddleware[1] Executed endpoint '******.Controllers.SampleDataController.WeatherForecasts (*******)' info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2] Request finished in 464.9224ms 302

但在返回HTTP 200响应时，我总是在浏览器中收到CORS错误：

Access to fetch at 'login.microsoftonline/common/oauth2/authorize?client_id=**********************&redirect_uri=https%3A%2F%2Flocalhost%3A44363%2Fsignin-oidc&response_type=id_token&scope=openid%20profile&response_mode=form_post&nonce=**************************************************&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.3.0.0' (redirected from 'localhost:44363/api/SampleData/WeatherForecasts') from origin 'localhost:44363' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

我可以手动打开登录页面，但浏览器因此而无法重定向。我甚至将应用程序发布为Azure Web App，但仍然收到相同的CORS错误。我想我已经在Startup.cs中正确设置了所有内容，但似乎都不起作用。然后，我甚至从Azure Web App设置了CORS策略以允许*起源，然后允许相关的起源，但问题仍然存在。

Startup.cs：

public void ConfigureServices(IServiceCollection services) { services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2); services.AddSpaStaticFiles(configuration => { configuration.RootPath = "ClientApp/build"; }); services.Configure<CookiePolicyOptions>(options => { options.CheckConsentNeeded = context => true; options.MinimumSameSitePolicy = SameSiteMode.None; }); services.AddAuthentication(AzureADDefaults.AuthenticationScheme) .AddAzureAD(options => Configuration.Bind("AzureAd", options)).AddCookie(); services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options => { options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = false, }; options.Events = new OpenIdConnectEvents { OnTicketReceived = context => { return Task.CompletedTask; }, OnAuthenticationFailed = context => { context.Response.Redirect("/Error"); context.HandleResponse(); // Suppress the exception return Task.CompletedTask; } }; }); /* Tried also with this services.AddCors(setup => { setup.AddPolicy("corspolicy", policy => { policy .AllowAnyOrigin() .AllowAnyHeader() .AllowAnyMethod(); }); }); */ } public void Configure(IApplicationBuilder app, IHostingEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } else { app.UseExceptionHandler("/Error"); // The default HSTS value is 30 days. You may want to change this for production scenarios, see aka.ms/aspnetcore-hsts. app.UseHsts(); } app.UseAuthentication(); // Tried putting this and .UseCors to different places app.UseStaticFiles(); app.UseSpaStaticFiles(); //app.UseCors("corspolicy"); app.UseCors(policy => { policy .AllowAnyOrigin() // Tried with hardcoded origins .AllowAnyMethod() .AllowCredentials() // Tried without this also .AllowAnyHeader(); }); app.UseHttpsRedirection(); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller}/{action=Index}/{id?}"); }); app.UseSpa(spa => { spa.Options.SourcePath = "ClientApp"; if (env.IsDevelopment()) { spa.UseReactDevelopmentServer(npmScript: "start"); } }); }

控制器：

[Authorize] [EnableCors] // Tried with named policy and without EnableCors [ApiController] // Tried without this [Route("api/[controller]")] public class SampleDataController : Controller { private static string[] Summaries = new[] { "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching" }; [HttpGet("[action]")] public IEnumerable<WeatherForecast> WeatherForecasts() { var rng = new Random(); return Enumerable.Range(1, 5).Select(index => new WeatherForecast { DateFormatted = DateTime.Now.AddDays(index).ToString("d"), TemperatureC = rng.Next(-20, 55), Summary = Summaries[rng.Next(Summaries.Length)] }); } // Nonrelevant things omitted } 推荐答案

经过长时间的调查后，您的问题的简短答案是&您不能使用AJAX请求来实现它。您实际上需要您的浏览器转到您发出质询请求的控制器。 这篇文章解释了一切： www.blinkingcaret/2018/10/10/sign-in-with-an-external-login-provider-in-an-angular-application-served-by-asp-net-core/