CORS policy proplem

I implemented the login social flow in Backend using .NET Core.

This is my config in Startup.cs file

  var domain = $"https://{Configuration["Auth0:Domain"]}/";

            //Add authentication services
            services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            })
            .AddCookie()
            .AddOpenIdConnect("Auth0", options =>
            {
                // Set the authority to your Auth0 domain
                options.Authority = $"https://{Configuration["Auth0:Domain"]}";

                // Configure the Auth0 Client ID and Client Secret
                options.ClientId = Configuration["Auth0:ClientId"];
                options.ClientSecret = Configuration["Auth0:ClientSecret"];

                // Set response type to code
                options.ResponseType = "code";

                // Configure the scope
                options.Scope.Add("openid");
                options.Scope.Add("email");
                options.Scope.Add("profile");
                options.Scope.Add("update:users");
                options.Scope.Add("update:current_user_identities");

                // Set the callback path, so Auth0 will call back to http://localhost:3000/callback
                // Also ensure that you have added the URL as an Allowed Callback URL in your Auth0 dashboard
                options.CallbackPath = new PathString("/callback");

                options.SaveTokens = true;

                // Configure the Claims Issuer to be Auth0
                options.ClaimsIssuer = "Auth0";

                options.Events = new OpenIdConnectEvents
                {
                    OnAuthorizationCodeReceived = context =>
                    {
                        var a = context.JwtSecurityToken;
                        var b = context.Result;

                        return Task.FromResult(0);
                    },
                    OnRedirectToIdentityProvider = context =>
                    {
                        if (context.Properties.Items.ContainsKey("connection"))
                            context.ProtocolMessage.SetParameter("connection", context.Properties.Items["connection"]);

                        context.ProtocolMessage.SetParameter("audience", $"https://{Configuration["Auth0:Domain"]}/api/v2/");
                        
                        return Task.FromResult(0);
                    },
                    //handle the logout redirection
                    OnRedirectToIdentityProviderForSignOut = (context) =>
                    {
                        var logoutUri = $"https://{Configuration["Auth0:Domain"]}/v2/logout?client_id={Configuration["Auth0:ClientId"]}";

                        var postLogoutUri = context.Properties.RedirectUri;
                        if (!string.IsNullOrEmpty(postLogoutUri))
                        {
                            if (postLogoutUri.StartsWith("/"))
                            {
                                var request = context.Request;
                                postLogoutUri = request.Scheme + "://" + request.Host + request.PathBase + postLogoutUri;
                            }

                            logoutUri += $"&returnTo={ Uri.EscapeDataString(postLogoutUri)}";
                        }

                        context.Response.Redirect(logoutUri);
                        context.HandleResponse();

                        return Task.CompletedTask;
                    }
                };
            });

this is my controller

[HttpGet("login")]
        public async Task<IActionResult> LoginSocial([FromQuery] string redirectUri = "/", [FromQuery] string connection = "")
        {


            var properties = new AuthenticationProperties()
            {
                RedirectUri = redirectUri,
            };

            if (!string.IsNullOrEmpty(connection))
                properties.Items.Add("connection", connection);

            return Challenge(properties, "Auth0");
        }

when I called this api on the browser it worked fine but when FE side called it return cors error
from https://my-auth0-domain.us.auth0.com/authorize… redirected from ‘https://my-backend-domain/api/account/login?connection=facebook&redirectUri=http://localhost:3000’) from origin ‘http://localhost:3000’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

when FE side called https://my-auth0-domain.us.auth0.com/authorize directly still received cors error
Access to XMLHttpRequest at ‘https://my-auth0-domain.auth0.com/authorize?response_type=code&client_id=my-auth0-client-id&connection=facebook&redirect_uri=http://localhost:3000’ from origin ‘http://localhost:3000’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

we did try to use the api above but still received cors error.

the reason why we doing this as we want to redirect directly to the facebook login screen instead of via auth0 login screen.

It’s likely the frontend is trying to fetch the request as an XMLHttpRequest in the browser. The /authorize URL is meant to be redirected to, not fetched. You can do something like window.location = URL;.

If that doesn’t help, it’d help to see the FE code that triggers this.

1 Like

Thank you, it works perfectly.

1 Like

Thanks for helping on this one Thameera!