locked
CORS works for access token but not for refresh token in Web Api 2 RRS feed

  • Question

  • User-1846394570 posted

    I have a web api 2 app which I call to using an angularjs client. The web api app is capable of issuing access tokens and refresh tokens for authentication.

    Having the following lines in the "GrantResourceOwnersCredentials" method, the CORS is working fine for allowing to issue access tokens:

    var allowedOrigin = context.OwinContext.Get<string>("as:clientAllowedOrigin");
      if (allowedOrigin == null) allowedOrigin = "*";
      context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { allowedOrigin });

    However, when I try to issue refresh tokens through the angularjs app, I get this good old error in the console:

    OPTIONS http://localhost:65141/token
    (index):1 XMLHttpRequest cannot load http://localhost:65141/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:56815' is therefore not allowed access. The response had HTTP status code 400.

    I was wondering as the access tokens are being issued fine, and the refresh tokens are also issued using the same endpoint, what should I do to overcome this issue?

    By the way, the angular code is fine. I disabled google chrome web security and then everything worked! Any help is greatly appreciated!

    Tuesday, August 11, 2015 12:25 AM

All replies

  • User1287536547 posted

    Do you have the client registered? And what ApplicationType is the client registered as? I am assuming it is registered as JavaScript not as native. It looks like you registered the client's Allowed Origin as http://localhost:65141 and you are making the request from http://localhost:56815.

    Hope it helps!

    Tuesday, August 11, 2015 2:22 AM