locked
can i put cors into a mediator pipelinebehaviour? RRS feed

  • Question

  • User1034446946 posted

    Hi

    I need to add cors to my public api, and i needto allow it to be dynamic, eg adding new ui's through an API, so hard coding it into the startup file isn't an options

    Is there any reason i should build my own authentication and add it to a pipeline bahaviour?

    and is there anything i need to take into consideration

    Thursday, April 23, 2020 3:28 PM

Answers

  • User-474980206 posted

    EnenDaveyBoy

    I am not trying to authorise, i already do that using JWT's later on in the pipeline.

    I am looking to setup to validate the origin(and only the origin) of the request, in the best/simplest way possible across all platforms.

    So while the answer is yes for websites, how do i authenticate the origin on a mobile app etc?

    CORS is not done server side, its a client side validation done by the browser (not server). as a mobile app loads from the device, there is no origin to verify. In the case of mobile apps, the closest thing to an origin is the app store (where the app came from).

    your server will never get the origin nor is there a secure way to get it. if added to the payload, there is no way to verify. 

    this is all unrelated any JWT values (which deal with the origin of the ticket, not the request).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, April 24, 2020 3:08 PM

All replies

  • User475983607 posted

    EnenDaveyBoy

    Hi

    I need to add cors to my public api, and i needto allow it to be dynamic, eg adding new ui's through an API, so hard coding it into the startup file isn't an options

    Is there any reason i should build my own authentication and add it to a pipeline bahaviour?

    and is there anything i need to take into consideration

    Use the standard CORS middleware API.  See the docs.

    https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-3.1

    Keep in mind, CORS is browser security not server.  In other words, CORS only works for browser based application that send HTTP request through JavaScript. 

    https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

    Thursday, April 23, 2020 3:33 PM
  • User-474980206 posted

    there is max length on the CORS header value (4k-16k depending on servers  and proxies). also CORS is only implemented by browser ajax calls, it has no effect on other users of your api. from the web servers point of view CORS is a return header value, it is not related to authentication, though its hard to understand why an anonymous site would not allow all.

    Thursday, April 23, 2020 3:40 PM
  • User1034446946 posted

    sorry public is bad wording, i ment forward facing api

    this is primaily for SPA's which will access  my api's

    however should i also implement another token based system like payment gates etc,where you have a customer and a secret, if so how do i go about doing that

    and do i do both cors and the other mentioned.

    Thursday, April 23, 2020 6:34 PM
  • User475983607 posted

    EnenDaveyBoy

    sorry public is bad wording, i ment forward facing api

    this is primaily for SPA's which will access  my api's

    however should i also implement another token based system like payment gates etc,where you have a customer and a secret, if so how do i go about doing that

    and do i do both cors and the other mentioned.

    It seems like you are very confused.  As stated above, if this is public API where users create accounts to use your service then CORS needs to be enable CORS for all URL origins.  If you control the SPA then enable CORS for the SPA's origin. 

     If you need a central token server, then you can use Google, Facebook, Azure, or your own.  I use Identity Server 4 to secure API resources.

    Can you explain in plain language what you are trying to do?

    Thursday, April 23, 2020 7:11 PM
  • User1034446946 posted

    I will have an API which is a CMS.

    So i will know I will have a list of all the UI's which will have access to the API, websites (Mainly SPA's),mobile apps and sometime in the future desktop apps.

    The list of possible UI's will increase and decrease overtime as and when needed and cannot be listed statically like in all the examples of Cors i have seen.

    I am just trying to work out what needs to be done to secure it.

    My thinking was CORS will validate the origin or the request, but then i thought i could replace cors with an access token which would then work accord all platforms,however thats not a good idea, because the access token would be in the website and make it pointless for the web.

    However i am still going to need to look into access tokens in the future,so i still needed to ask the question.

    Thursday, April 23, 2020 8:48 PM
  • User475983607 posted

    I will have an API which is a CMS.

    So i will know I will have a list of all the UI's which will have access to the API, websites (Mainly SPA's),mobile apps and sometime in the future desktop apps.

    The list of possible UI's will increase and decrease overtime as and when needed and cannot be listed statically like in all the examples of Cors i have seen.

    I am just trying to work out what needs to be done to secure it.

    My thinking was CORS will validate the origin or the request, but then i thought i could replace cors with an access token which would then work accord all platforms,however thats not a good idea, because the access token would be in the website and make it pointless for the web.

    However i am still going to need to look into access tokens in the future,so i still needed to ask the question.

    It is very clear from you response that you need to set aside time to learn CORS and OAuth/OIDC before moving forward.

    CORS security runs in the browser and applies only to HTTP requests made from JavaScript.  CORS does not stop the server from returning a response.  CORS does not secure Web API.

    An Access token is string returned form an authorization end point after validating client/user credentials.    The client/user sends the token when requesting secured resources.  That does not mean the user/client can access the resource.  Your authorization policy determines if a user/client is granted or denied access.

    Thursday, April 23, 2020 9:44 PM
  • User1034446946 posted

    I am not trying to authorise, i already do that using JWT's later on in the pipeline.

    I am looking to setup to validate the origin(and only the origin) of the request, in the best/simplest way possible across all platforms.

    So while the answer is yes for websites, how do i authenticate the origin on a mobile app etc?

    Friday, April 24, 2020 12:28 AM
  • User475983607 posted

    I am not trying to authorise, i already do that using JWT's later on in the pipeline.

    I am looking to setup to validate the origin(and only the origin) of the request, in the best/simplest way possible across all platforms.

    So while the answer is yes for websites, how do i authenticate the origin on a mobile app etc?

    Again, it seems like you are confused and misunderstand the fundamentals.  I'm not sure if you are asking a new question or if you are still on the CORS subject. 

    The origin HTTP header identifies the host and port that generated a web page.  An HTTP request from a mobile application will not have an origin header.  It's not using a browser and the UI did not come from a web site. 

    The JWT design should include an "origin" claim.  The Web API application uses an "origin" claim policy that allows/denies access to API resources.  I explained this concept in my last thread.

    Friday, April 24, 2020 11:05 AM
  • User1034446946 posted

    mgebhard

    The origin HTTP header identifies the host and port that generated a web page.  An HTTP request from a mobile application will not have an origin header.  It's not using a browser and the UI did not come from a web site. 

    Thanks, so how would a mobile app authenticate the origin? in an api  that has multiple apps calling the same api's. (would it have a basic jwt in the source code)

    is aud the origin in a jwt?

    Friday, April 24, 2020 1:00 PM
  • User475983607 posted

    Thanks, so how would a mobile app authenticate the origin? in an api  that has multiple apps calling the same api's. (would it have a basic jwt in the source code)

    is aud the origin in a jwt?

    No. 

    According to the openly published specs.  https://tools.ietf.org/html/rfc7519#page-9

    The "aud" (audience) claim identifies the recipients that the JWT isintended for.

    Keep in mind, you invented the origin requirement.  I have no idea how your requirement works. 

    Friday, April 24, 2020 2:24 PM
  • User-474980206 posted

    EnenDaveyBoy

    I am not trying to authorise, i already do that using JWT's later on in the pipeline.

    I am looking to setup to validate the origin(and only the origin) of the request, in the best/simplest way possible across all platforms.

    So while the answer is yes for websites, how do i authenticate the origin on a mobile app etc?

    CORS is not done server side, its a client side validation done by the browser (not server). as a mobile app loads from the device, there is no origin to verify. In the case of mobile apps, the closest thing to an origin is the app store (where the app came from).

    your server will never get the origin nor is there a secure way to get it. if added to the payload, there is no way to verify. 

    this is all unrelated any JWT values (which deal with the origin of the ticket, not the request).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, April 24, 2020 3:08 PM
  • User1034446946 posted

    CORS is not done server side, its a client side validation done by the browser (not server). as a mobile app loads from the device, there is no origin to verify. In the case of mobile apps, the closest thing to an origin is the app store (where the app came from).

    thats confusing, doesn't the server verify the cors fields supplied by the browser base on the origins list in the startup file?

    Friday, April 24, 2020 3:23 PM
  • User475983607 posted

    thats confusing, doesn't the server verify the cors fields supplied by the browser base on the origins list in the startup file?

    Read the specifications rather than guessing how CORS works.

    https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

      

    Friday, April 24, 2020 4:50 PM
  • User1034446946 posted

    EnenDaveyBoy

    thats confusing, doesn't the server verify the cors fields supplied by the browser base on the origins list in the startup file?

    Read the specifications rather than guessing how CORS works.

    https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

      

    So what if you have an api which servers 100+ websites

    Friday, April 24, 2020 4:59 PM
  • User475983607 posted

    EnenDaveyBoy

    So what if you have an api which servers 100+ websites

    What is the subject of this question? 

    If the subject is still CORS then it does not matter.   CORS does not apply to web sites making HTTP request to Web API.  CORS only applies to HTTP request generated from JavaScript running in a browser.  

    Friday, April 24, 2020 5:32 PM