Base solution for your next web application
Open Closed

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at xxx/.well-known/openid-configuration. (Reason: header ‘abp.tenantid’ is not allowed according to header ‘Access-Control-Allow-Headers’ #11464


User avatar
0
astrea created

What is your product version? 10.3.0 What is your product type (Angular or MVC)? Angular What is product framework type (.net framework or .net core)? .net core

Dear Support Team,

We are facing a problem to make OpenID authentication work. We configured the OpenId authentication to connect to Auth0.

We face CORS mismatch between the request and response header when server tries to retrieve the .well-known/openid-configuration file.

Front end submits the pre-flight with the following headers: Access-Control-Request-Headers: abp.tenantid,cache-control,expires,pragma,x-requested-with

Auth0 returns the following: access-control-allow-headers: Origin, Content-Type, Accept, X-Requested-With, Authorization, Auth0-Client, X-Request-Language

Browser rejects the connection with the following message: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://edulab.au.auth0.com/.well-known/openid-configuration. (Reason: header ‘abp.tenantid’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response).

Our question is how to tweak the Access-Control-Request-Headers or disable them altogether?

We seek for your help urgently as we have one tenant's production down.

Kind Regards, Matt


3 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi Matt,

    The problem might be something different. Have you checked your server side log file ? There might be a helpful error message. Also, is it possible for us to test this scenario ? If so, could you share related information to [email protected] ?

    Thanks,

  • User Avatar
    0
    astrea created

    Hi @ismcagdas,

    No error logs from the server side. If I understand correctly, authentication happens on the front-end via angular-oauth2-oidc.js module.

    I will provide auth0 client id and screenshots to your email.

    Additional discovery I made was that cors module didn't exist in 10.0.0 (couldn't find it in package.json). If it is possible to disable "cors": "^2.8.5" maybe that would temporarily solve my problem.

    Thank you! Matt

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @astrea

    You can temporarily disable CORS and see if it causes the problem or not. Because sometimes Angular app wrongly shows CORS error even the real error is different.