I am trying to get a bearer token to make an azure rest api call in my ASP.net application. My http request works in postman, but not when I test with my application in localhost. With the fetch mode set to "cors", I get an error that the request has been blocked by CORS policy. With the fetch mode set to "no-cors", I get a Bad Request error. How can I get the bearer token in my application? I would like to get the token without a login popup if possible.

Hi @Caroline Henning , Thanks for reaching out. Here bad request can be due to 'Access-Control-Allow-Origin' header is not set. To allow specific headers to be sent in a CORS request, call WithHeaders and specify the allowed headers: builder => { builder.WithOrigins("http://contoso.com") .WithHeaders(HeaderNames.ContentType, "x-custom-header"); }); Also, You can enable CORS through different ways in ASP.net application as disabling the CORS is not recommended for security reasons. 1.Using a default policy in middleware 2.With endpoint routing, CORS can be enabled on a per-endpoint basis using the RequireCors() in the middleware as 3.With the [EnableCors] attribute in the controller class or controller action method as Ref : Enable CORS in ASP.NET application Thanks, Shweta Please remember to " Accept Answer " if answer helped you.

CORS issue when getting bearer token in ASP.net application

Accepted answer

Shweta Mathur 27,711 Reputation points Microsoft Employee

2022-02-01T13:58:15.33+00:00

Hi @Caroline Henning ,

Thanks for reaching out.

Here bad request can be due to 'Access-Control-Allow-Origin' header is not set. To allow specific headers to be sent in a CORS request, call WithHeaders and specify the allowed headers:

builder =>
{
builder.WithOrigins("http://contoso.com")
.WithHeaders(HeaderNames.ContentType, "x-custom-header");
});

Also, You can enable CORS through different ways in ASP.net application as disabling the CORS is not recommended for security reasons.

1.Using a default policy in middleware
2.With endpoint routing, CORS can be enabled on a per-endpoint basis using the RequireCors() in the middleware as
3.With the [EnableCors] attribute in the controller class or controller action method as

Ref : Enable CORS in ASP.NET application

Thanks,
Shweta

Please remember to "Accept Answer" if answer helped you.
Please sign in to rate this answer.
Caroline Henning 46 Reputation points

2022-02-01T17:43:46.587+00:00

Hi @Shweta Mathur , thanks for your response! I have tried to add the Access-Control-Allow-Origin header:

var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/x-www-form-urlencoded");
myHeaders.append("Access-Control-Allow-Origin", "login.microsoftonline.com");

var urlencoded = new URLSearchParams();
urlencoded.append("grant_type", "client_credentials");
urlencoded.append("tenant", "{tenant id}");
urlencoded.append("client_secret", "{client secret}");
urlencoded.append("scope", "https://graph.microsoft.com/.default");
urlencoded.append("client_id", "{client id}");

var requestOptions = {
method: 'POST',
mode: 'no-cors',
headers: myHeaders,
body: urlencoded,
redirect: 'follow',
};

fetch("https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/token", requestOptions)
.then(response => console.log(response))
.then(result => console.log(result))
.catch(error => console.log('error', error));

Still, fetching with no-cors leads to a 400 Bad Request error, and fetching with cors leads to "blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled" error message. Have I misunderstood your recommendation?

Shweta Mathur 27,711 Reputation points Microsoft Employee

2022-02-03T14:08:59.347+00:00

Hi @ CarolineHenning-0794,

CORS issues handled in many ways based on different browsers and frontend. For ASP. net to fetch the bearer token is very secure process. So its never recommended to use no-cors while making cross origin request.

For ASP. net best possible ways to handle CORS is as mentioned above.

Also, you can update web.config as below to allow request from all origins.

var cors = new EnableCorsAttribute("", "", "*");
config.EnableCors(cors);

I am still looking more ways to handle in asp.net.

Thanks,
Shweta

Caroline Henning 46 Reputation points

2022-02-03T16:37:26.957+00:00

Hi Shweta, thank you for your help! I have actually gotten the issue resolved by moving the http request to a C# controller class. I was seeing these issues when calling directly from JS code, not sure why this makes a difference.
Sign in to comment

CORS issue when getting bearer token in ASP.net application

0 additional answers