CORS适用于访问令牌但不刷新令牌在网页API 2 [英] CORS works for access token but not for refresh token in Web Api 2

问题描述

我有一个Web API 2个应用程序，我打电话给使用angularjs客户端。该网站的API应用程序是能够发出的访问令牌，并刷新令牌身份验证。

I have a web api 2 app which I call to using an angularjs client. The web api app is capable of issuing access tokens and refresh tokens for authentication.

有在GrantResourceOwnersCredentials的方法如下线，CORS工作正常允许发出访问令牌：

Having the following lines in the "GrantResourceOwnersCredentials" method, the CORS is working fine for allowing to issue access tokens:

var allowedOrigin = context.OwinContext.Get<string>("as:clientAllowedOrigin");
  if (allowedOrigin == null) allowedOrigin = "*";
  context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin });

然而，当我试图通过angularjs应用程序发出刷新令牌，我在控制台得到这个好老的错误：

However, when I try to issue refresh tokens through the angularjs app, I get this good old error in the console:

OPTIONS http://localhost:65141/token
(index):1 XMLHttpRequest cannot load http://localhost:65141/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:56815' is therefore not allowed access. The response had HTTP status code 400.

我在想作为访问令牌正在发行的罚款，并刷新标记使用的是同一个端点同时发出，我应该怎么做才能解决这个问题？

I was wondering as the access tokens are being issued fine, and the refresh tokens are also issued using the same endpoint, what should I do to overcome this issue?

顺便说一句，角code是罚款。我禁用谷歌浏览器的Web安全，然后一切工作！任何帮助是极大AP preciated！

By the way, the angular code is fine. I disabled google chrome web security and then everything worked! Any help is greatly appreciated!

推荐答案

搜索整个互联网吓坏后，这里是我发现，解决该问题。添加此code到AuthorizationProvider将解决此问题：

After searching the whole freaking internet, here is what I found that resolves the problem. Adding this code to the AuthorizationProvider will resolve the problem:

public override Task MatchEndpoint(OAuthMatchEndpointContext context)
        {
            if (context.IsTokenEndpoint && context.Request.Method == "OPTIONS")
            {
                context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
                context.OwinContext.Response.Headers.Add("Access-Control-Allow-Headers", new[] { "authorization" });
                context.RequestCompleted();
                return Task.FromResult(0);
            }

            return base.MatchEndpoint(context);
        }

这篇关于CORS适用于访问令牌但不刷新令牌在网页API 2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！