Blazorwasm CORS JWT Bearer

[marcelovidigal]

I have a client using Blazor Wasm, Blazor Client, preview 9, and I am having a issue with token authentication. If using Kestrel when a http request is made, I am getting 204 NoContent with a options verb, followed by a 500 server error, when using IIS, I am getting a browser erro, with advice about CORS, anyone can help me, my API is with authentication e authorization via JWT Token enabled and with CORS enabled too. The API works well with Postman, Fiddler, etc. but not with Blazor Client in browser.

In Startup I have

services.AddAuthentication().AddJwtBearer(cfg =>
{
cfg.RequireHttpsMetadata = false;
cfg.SaveToken = true;
cfg.TokenValidationParameters = new TokenValidationParameters()
{
ValidIssuer = "XXXX_XXXX_XXXX",
ValidAudience = "XXXX_XXXX_XXXX_XXXX",
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key))
};
}); 
services.AddAuthorization(auth =>
{
auth.AddPolicy("Bearer", 
new 
AuthorizationPolicyBuilder().AddAuthenticationSchemes(
JwtBearerDefaults.AuthenticationScheme).RequireAuthenticatedUser().Build());
});
...
services.AddCors(options =>
{
options.AddPolicy("CorsPolicy",
builder => builder
.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials());
});
...
app.UseCors("CorsPolicy");

When I remove the Bearer authorization from controller actions, the app request respond ok, with CORS working correct, I test with CORS and without CORS and this part works properly, but with authorization I have the before described behave, 204 options and 500 server error in test and CORS blocking in browser with the API hosted in IIS. What can I do? Anyone have some idea about this?

[dcarr42]

I have seen many variations of this due to incorrect cors config.

#4457 (comment)
#4457 (comment)

Also maybe hitting this change

#7751

[rynowak]

The CORS docs for Blazor are here: https://docs.microsoft.com/en-us/aspnet/core/blazor/call-web-api?view=aspnetcore-3.0#cross-origin-resource-sharing-cors

I'd suggest you take a look at your server logs with #7551 - looking at your server logs is always a good bet when you see a 500.

[marcelovidigal]

The CORS docs for Blazor are here: https://docs.microsoft.com/en-us/aspnet/core/blazor/call-web-api?view=aspnetcore-3.0#cross-origin-resource-sharing-cors

I'd suggest you take a look at your server logs with #7551 - looking at your server logs is always a good bet when you see a 500.

My API server works properly, and tested with other clients works Ok. I tested with other variations of startup configurations, see, only with CORS setup the browser responds ok, without CORS setup in startup file in API, the browser blocks CORS, so CORS works properly, but, when a include setup of identity and authorization, then the browser respond this form, kestrel - 204 e 500, IIS - Cross Origin Block. If I remove CORS, and mantain security, all works fine, with browser CORS disabled. I dont know why, I will investigate more deepely. So, my problem is JWT and CORS don't work toghether. As mentioned here, there is other cases with Blazor Client, but I dont know yet if it is a issue especifically with Blazor.

Thank you for contacting us. Due to no activity on this issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core framework, which hasn't been addressed yet, please file a new issue.