CORS is a flaming pile of %%$@$% about bookservice HOT 17 CLOSED

Instead of having a crack why don't you explain the errors you are seeing?

from bookservice.

Hi, can you describe your scenario, what you tried, and the errors you're getting? The Web API CORS docs are here. Also you might try asking on Stack Overflow, where probably more people will see the question.

from bookservice.

thanks for the replies, I have been trying to figure it all out and I am starting to get an idea of what's going on that is not what I first thought it was.

small background:

I have a bunch of OData 4 controllers and some Web API controllers in a project along with Identity Server V3 for token auth / OAUth.

when I had a web ui and all of this as one project no problems.
as we are getting closer to a production application we are splitting them up and now CORS is showing up.
I am able to get a token and that works.
I was getting 405 error and then 500 errors and I think I fixed the 405 with changes I made but now the 500 is a problem.
at first I thought this was CORS due to the way the browser console in chrome spits out an error message that says that the header is missing so it says it's a CORS error when it is really a server side 500 that is the real problem.

I have an api that has always worked in the past so I am now figuring out why it's giving me a 500
ONLY WHEN a TOKEN is passed!
no token the service returns the right data and I get a 200 OK.
add an OAUTH bearer token and the plumbing never gets to the API logic and returns a 500.
the way the WebAPI libraries can return an error w/o hiting my api controller code makes for an interesting day.

in general on stack overflow I found a lot of different replies to how to work with CORS ranging from changing the web.config file to adding code to the server to hacking the browser side logic to defeat it.
this to me is a bad sign that there is a lack of good documentation on how to work with it.
Also in other posts I have seen Microsoft staff in Odata related questions who seemed to think that CORS was not a topic that Microsoft has anything to do with.... like they had no clue that it's part of the OWIN modules.

from bookservice.

also how to debug the web api stack when it's tossing a 500 ?? several times I have had that case and spent hours finding the problem and how to fix it. my request gets to the server and then the server sends back a 500. my code is never executed and my logging can't catch the error.
we need a way to make the system log server errors
I am sure it can be done but how should we do that in general ?

from bookservice.

Have you written a unit test or an integration test?

from bookservice.

here is my current test:
call the api with a bearer token and I get an http 500 server error
call wo a token and the api works.
I will have to try and check what changed that has caused this.... I was able to run the calls before and the last thing was trying to get CORS working.

very small changes were made before that and I will have to back track to see at what step it went sideways.
it may take some time to find the root problem... something in the asp.net code is for some reason breaking so I can't see the error.

from bookservice.

Are you aware you can drill into a web response to get the exact error from a server?

from bookservice.

Matt: no How can I do that ? that would be great help !!!!!
that is what I need right now.

from bookservice.

Do you have the auth pipeline configured for the Web API app?

Did you read the section "Passing Credentials in Cross-Origin Requests" in the CORS docs?

from bookservice.

up till now I had the enablecors in the web api register with no parameter.
my api calls have had a custom authorize attribute replacing the default [Authorize] call as that was how I was getting the token to give me the roles info.
I am looking at the doc link this is the first time I saw that and before now things have been working possibly the wrong way but working...

also I see the client script withcredentails setting that I will need to look at.
I have Swashbuckle and Swashbucle.Odata to give us Swagger pages and they also have been working.
right now they are also working upto the token on the server.

I will need a day or two to check my code to the documentation and see if that gets me on track.
might be delayed a bit on this as I am in centeral florida east of tampa and west of Orlando
and it looks like the hurricane is going to give us a good mess for the next day or two.

from bookservice.

public string GetWebResponse()
{
var response = "";
try
{
 // Your code here
}
catch(WebException ex)
{
using (var errorResponse = (HttpWebResponse)ex.Response);
using (var reader = new StreamReader(errorResponse.GetResponseStream()))
{
// This response is the information you need.
response = reader.ReadToEnd();
}
return response;
}
}

from bookservice.

where are you attaching that method ???
public string GetWebResponse()
what class ??
my controllers have logging and try catch logic.
my server error is before my code is called.
so my post() and get() api calls never get to run my code.

from bookservice.

Also how are you building you OAuth headers?

Are you doing something like this?

var url = "https://somedomain.com/resource/v1/";
var request = WebRequest.Create(url) as HttpWebRequest;
request.Method = "POST";
request.ContentType = "text/xml";
var oAuthHeader = "OAuth oauth_consumer_key=Mu4u9pLRfDrxhPVK5y, oauth_nonce=5346IG1e5bV3ytQwdFqkP8Rgr0VJiA9Xb4FE0, oauth_signature=64545G%2Byp%2F2BsqJ%2BUUgbjIIIV9E%3D, oauth_signature_method=HMAC-SHA1, oauth_timestamp=1330022891, oauth_token=ivouGxpsJbyIU5viPKOO, oauth_version=1.0";
request.Headers.Add("Authorization", oAuthHeader);
var response = request.GetResponse();

from bookservice.

If you're controllers have try catch in them then you are breaking SOLID principles. I would personally inject your dependencies using a dependency injector like SimpleInjector or Ninject. Regardless add the catch WebException... to the top of your exceptions. You can change the method or put it into whatever class you like. It's just a method with a return of string. You don't have to follow that, just the catch.

from bookservice.

Bearer Token.
"Authorization" "Bearer: "
OAuth 2.0
Tokens come from Identity Server 3.0
along the lines of the samples here
https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Clients
have been using resource owner flow but am moving to OIDC as it has benefits in what it adds.
but OIDC still gives the same kind of token data.
all of our data requests are JSON not XML

from bookservice.

re- the try catch: I think you have missed a point: the 500 is not in my code, it's before my code so I can't catch it.

from bookservice.

Can you post your code with a comment as to where you get the error please?

from bookservice.