You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: astro/src/content/docs/identityserver/tokens/cors.md
+30-1Lines changed: 30 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -96,4 +96,33 @@ IdentityServer in the service provider (e.g. in `ConfigureServices`).
96
96
97
97
:::note
98
98
IdentityServer requires a `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model, you will also need to add a `ICorsPolicyService` implementation for any CORS settings on the IdentityServer endpoints.
99
-
:::
99
+
## Mixing IdentityServer's CORS Policy With ASP.NET Core's CORS Policies
100
+
101
+
Duende IdentityServer builds upon the standard ASP.NET Core CORS middleware. If your application needs to support CORS for both IdentityServer endpoints and your own custom API endpoints, they can coexist by following these integration rules.
102
+
103
+
### Middleware Registration Order
104
+
105
+
For both systems to function correctly, the order of registration in your middleware pipeline is important. Always place the standard CORS middleware *after* the IdentityServer middleware:
106
+
107
+
```csharp
108
+
app.UseIdentityServer();
109
+
app.UseCors("MyCustomPolicy"); // Must come after IdentityServer
110
+
```
111
+
112
+
### Custom CORS Policies
113
+
114
+
You should continue to use ASP.NET Core CORS features exactly as documented by Microsoft. Your existing configurations will not interfere with IdentityServer:
115
+
116
+
***Named Policies:** Policies defined in `AddCors` and referenced via `[EnableCors]` attributes or middleware will work as expected.
117
+
***Inline Policies:** Defining a policy directly within `app.UseCors(builder => ...)` is fully supported.
118
+
119
+
### Advanced Customization: `ICorsPolicyProvider`
120
+
121
+
The only potential conflict occurs if you implement a custom [`ICorsPolicyProvider`](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.cors.infrastructure.icorspolicyprovider).
122
+
123
+
IdentityServer registers its own `ICorsPolicyProvider` to handle its internal endpoints, such as the [token](/identitymodel/endpoints/token.md) and [user info](/identitymodel/endpoints/userinfo.md) endpoints. To ensure both your custom logic and IdentityServer's logic run:
124
+
125
+
1.**Register your `ICorsPolicyProvider` first:** Register your custom provider in `ConfigureServices`*before* calling `AddIdentityServer`.
126
+
2.**The Decorator Pattern:** IdentityServer automatically detects your provider and wraps it. It will consult your provider first; if your provider doesn't handle the request, IdentityServer will then apply its own logic.
127
+
128
+
Note that while ASP.NET Core manages the middleware, IdentityServer uses an internal service called [`ICorsPolicyService`](/identityserver/reference/stores/cors-policy-service.md) to decide which origins are allowed to access its specific endpoints. If you prefer to use the ASP.NET Core CORS Policy programming model for everything, you will need to provide a custom `ICorsPolicyService` implementation that bridges your ASP.NET Core settings to IdentityServer's endpoints.
0 commit comments