CORS不适用于使用Thinktecture.IdentityModel.45的/ token

Question

(我很抱歉在这里和github都发布了这个问题,但我真的需要帮助...)

在使用Thinktecture.IdentityModel.45进行身份验证时,我无法启用CORS(System.Web.Http.Cors).

我的令牌端点有问题,我使用的是默认的"/ token".

发生的事情是,当调用/ token(来自javascript客户端)时,浏览器发出2个调用,"OPTION"调用和"/ token"资源的"GET"调用.我正在使用一个简单的PolicyProviderFactory,以便能够检查请求是否获得正确的CORS策略,它只是返回

        new EnableCorsAttribute("*", "*", "*");

第一个OPTION调用有效,GetCorsPolicyProvider被命中.另一个调用有效,但GetCorsPolicyProvider没有被命中,结果是服务器返回200 OK,包含所有正确的标题等,但内容响应为空.

我需要在路由配置中为令牌资源添加以下内容,否则我会得到"未找到".

        config.Routes.MapHttpRoute(
            name: "SecurityToken",
            routeTemplate: "api/token");

在所有其他请求中,OPTIONS和GET都会调用CORS策略提供程序,一切正常.我调试了thinktecture.identitymodel和相应的响应,返回正确的令牌.

/ token资源的GET方法不会调用CORS策略提供程序..但为什么呢？CorsMessageHandler已加载但从未被调用.如何判断请求是否会触发CORS/CorsMessageHandler？

诊断跟踪:

w3wp.exe Information: 0 : Request, Method=OPTIONS, Url=https://localhost/myapp/api/token, Message='https://localhost/myapp/api/token'
w3wp.exe Information: 0 : Message='CorsPolicyProvider selected: 'System.Web.Http.Cors.EnableCorsAttribute'', Operation=MyPolicyProviderFactory.GetCorsPolicyProvider
w3wp.exe Information: 0 : Message='CorsPolicy selected: 'AllowAnyHeader: True, AllowAnyMethod: True, AllowAnyOrigin: True, PreflightMaxAge: null, SupportsCredentials: True, Origins: {}, Methods: {}, Headers: {}, ExposedHeaders: {}'', Operation=EnableCorsAttribute.GetCorsPolicyAsync
w3wp.exe Information: 0 : Message='CorsResult returned: 'IsValid: True, AllowCredentials: True, PreflightMaxAge: null, AllowOrigin: https://localhost:4433, AllowExposedHeaders: {}, AllowHeaders: {access-key,authorization}, AllowMethods: {GET}, ErrorMessages: {}'', Operation=CorsEngine.EvaluatePolicy
w3wp.exe Information: 0 : Operation=CorsMessageHandler.SendAsync, Status=200 (OK)
w3wp.exe Information: 0 : Operation=AuthenticationHandler.SendAsync, Status=200 (OK)
w3wp.exe Information: 0 : Response, Status=200 (OK), Method=OPTIONS, Url=https://localhost/myapp/api/token, Message='Content-type='none', content-length=unknown'
w3wp.exe Information: 0 : Request, Method=GET, Url=https://localhost/myapp/api/token, Message='https://localhost/myapp/api/token'
w3wp.exe Information: 0 : Operation=AuthenticationHandler.SendAsync, Status=200 (OK)
w3wp.exe Information: 0 : Response, Status=200 (OK), Method=GET, Url=https://localhost/myapp/api/token, Message='Content-type='application/json; charset=utf-8', content-length=851'

身份验证配置如下所示:

var authentication = new AuthenticationConfiguration
    {
         ClaimsAuthenticationManager = new ClaimsTransformer(),
         RequireSsl = false, 
         EnableSessionToken = true,
         SendWwwAuthenticateResponseHeaders = true
     };

     var accessKeyHandler = new SimpleSecurityTokenHandler(
            "accessKey", 
            AccessKey.Validate);

        authentication.AddAccessKey(
            accessKeyHandler,
            AuthenticationOptions.ForHeader("access-key"));

        authentication.AddBasicAuthentication(UserCredentials.Validate, retainPassword: true);
        PassiveSessionConfiguration.ConfigureMackineKeyProtectionForSessionTokens();

Answer 1

为了让CORS与OWIN Token端点很好地配合,我必须安装Microsoft.Owin.CorsNuget包,然后添加以下代码:

Startup.Auth.cs

using Microsoft.Owin.Cors;
// ...

public partial class Startup
{
    public void ConfigureAuth(IAppBuilder app)
    {
        // ...
        app.UseCors(CorsOptions.AllowAll);

添加软件包并在代码中配置CORS后,它工作得很好.