ASP.NET Core 2:使用[Authorize]对API进行Ajax调用会使预检请求失败 [英] ASP.NET Core 2 : Ajax calls to API with [Authorize] fail the preflight request
问题描述
我有一个具有[Authorize]属性的API控制器,以确保所有调用均由正确登录的用户进行(通过OpenIdConnect,定位到Azure AD).当我加载进行Ajax调用的页面时,API会正确响应.
I have an API controller with the [Authorize] attribute to ensure all calls are made by properly logged-in users (via OpenIdConnect, targeting Azure AD) . When I load the page that makes the Ajax calls, the API responds properly.
但是,在一定时间后,必须重新授权用户,因此ASP.NET Core框架对https://login.microsoftonline.com/进行了调用以重新授权用户.调用失败,并显示以下错误:
However, after a certain amount of time, the user has to be reauthorized, and thus a call to https://login.microsoftonline.com/ is made by the ASP.NET Core framework to reauth the user. That calls fails with the following error:
无法加载 https://login.microsoftonline.com/common/oauth2/authorize?[截断] :对预检请求的响应未通过访问控制检查:所请求的资源上不存在"Access-Control-Allow-Origin"标头.因此,不允许访问来源" https://my.website.com ".
Failed to load https://login.microsoftonline.com/common/oauth2/authorize?[truncated]: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://my.website.com' is therefore not allowed access.
我尝试使用此代码配置CORS标头,但这不能解决我的问题:
I tried to configure the CORS header with this code, but that doesn't solve my issue:
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
// allow reconnection on API calls
app.UseCors(builder => builder
//.WithOrigins("https://login.microsoftonline.com")
.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials()
);
app.UseMvc();
}
请注意,ASP.NET Core 1.0版没有该问题(尽管ASP.NET MVC 5确实存在).
Note that ASP.NET Core version 1.0 didn't have that issue (though ASP.NET MVC 5 did).
推荐答案
我找到了解决此问题的方法.
I found a workaround to my problem.
我没有解决预检请求CORS问题. login.microsoftonline.com不包含CORS标头,因此我什至不确定它是否可以解决.
但是,我找到了一种增加Cookie超时的方法,从而减少了重新验证用户的需要.
I didn't solve the preflight request CORS issue. login.microsoftonline.com doesn't include CORS headers, so I'm not even sure it can be solved.
However, I found a way to increase the cookie timeout, to decrease the need to re-auth the user.
使用Microsoft.AspNetCore.Identity时,有几个cookie:
When using Microsoft.AspNetCore.Identity, there are several cookies:
-
IdentityConstants.ApplicationSchemecookie -
IdentityConstants.ExternalSchemecookie -
IdentityConstants.TwoFactorRememberMeSchemecookie -
IdentityConstants.TwoFactorUserIdSchemecookie
- the
IdentityConstants.ApplicationSchemecookie - the
IdentityConstants.ExternalSchemecookie - the
IdentityConstants.TwoFactorRememberMeSchemecookie - the
IdentityConstants.TwoFactorUserIdSchemecookie
用于AJAX请求的一个是IdentityConstants.ExternalScheme cookie,默认情况下它设置为在5分钟后过期(您可以在
The one used for AJAX requests is the IdentityConstants.ExternalScheme cookie, which by default is set to expire after 5 minutes (you can see the defaults on github).
要增加外部cookie超时,请执行以下操作:
To increase the external cookie timeout:
services.ConfigureExternalCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromDays(14);
});
这篇关于ASP.NET Core 2:使用[Authorize]对API进行Ajax调用会使预检请求失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
