Clarify ICorsPolicyService is needed for CORS on IdentityServer endpoints#1073
Clarify ICorsPolicyService is needed for CORS on IdentityServer endpoints#1073ProgrammerAL merged 4 commits intomainfrom
ICorsPolicyService is needed for CORS on IdentityServer endpoints#1073Conversation
maartenba
left a comment
maartenba
left a comment
There was a problem hiding this comment.
Re-read what was there originally and tried to clarify that a bit, incorporating the note you added. Will leave it to you to decide which makes more sense - am good with either.
(if you do merge this suggestion, need to verify the GitHub PR interface updates the entire section upon merge and not just the note - bit clunky interface)
Co-authored-by: Maarten Balliauw <maarten.balliauw@duendesoftware.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the IdentityServer token CORS documentation to clarify how ICorsPolicyService relates to CORS behavior on IdentityServer-hosted (protocol) endpoints.
Changes:
- Adds a new note and additional guidance about
ICorsPolicyServiceand ASP.NET Core CORS integration for IdentityServer endpoints. - Adds a middleware-order example and expanded explanation around mixing IdentityServer and ASP.NET Core CORS behavior.
| IdentityServer in the service provider (e.g. in `ConfigureServices`). | ||
|
|
||
| :::note | ||
| IdentityServer requires a `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model, you will also need to add a `ICorsPolicyService` implementation for any CORS settings on the IdentityServer endpoints. |
There was a problem hiding this comment.
Wording: use "an ICorsPolicyService" (not "a") in both occurrences on this line.
| IdentityServer requires a `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model, you will also need to add a `ICorsPolicyService` implementation for any CORS settings on the IdentityServer endpoints. | |
| IdentityServer requires an `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model, you will also need to add an `ICorsPolicyService` implementation for any CORS settings on the IdentityServer endpoints. |
| IdentityServer in the service provider (e.g. in `ConfigureServices`). | ||
|
|
||
| :::note | ||
| IdentityServer requires a `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model, you will also need to add a `ICorsPolicyService` implementation for any CORS settings on the IdentityServer endpoints. |
There was a problem hiding this comment.
This sentence reads like the host application must provide a custom ICorsPolicyService for IdentityServer endpoints. Since IdentityServer registers a default ICorsPolicyService (e.g., from in-memory/EF client stores), consider rephrasing to clarify that IdentityServer uses ICorsPolicyService for its hosted endpoints, and that you only need to implement one when you want to customize/bridge from ASP.NET Core CORS policies.
| IdentityServer requires a `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model, you will also need to add a `ICorsPolicyService` implementation for any CORS settings on the IdentityServer endpoints. | |
| IdentityServer uses an `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model for those IdentityServer endpoints, you only need to add a custom `ICorsPolicyService` implementation when you want to bridge or customize those settings. |
|
|
||
| For both systems to function correctly, the order of registration in your middleware pipeline is important. Always place the standard CORS middleware *after* the IdentityServer middleware: | ||
|
|
||
| ```csharp |
There was a problem hiding this comment.
Docs convention: code blocks should include a file title (e.g., // Program.cs as the first line, or a title="..." attribute). This snippet currently has neither, unlike the earlier example in this same page.
| ```csharp | |
| ```csharp title="Program.cs" |
| ## Mixing IdentityServer's CORS Policy With ASP.NET Core's CORS Policies | ||
|
|
||
| Duende IdentityServer builds upon the standard ASP.NET Core CORS middleware. If your application needs to support CORS for both IdentityServer endpoints and your own custom API endpoints, they can coexist by following these integration rules. | ||
|
|
||
| ### Middleware Registration Order | ||
|
|
||
| For both systems to function correctly, the order of registration in your middleware pipeline is important. Always place the standard CORS middleware *after* the IdentityServer middleware: |
There was a problem hiding this comment.
PR description says this change adds a note clarifying ICorsPolicyService for IdentityServer-hosted endpoints, but the diff also adds an entire new (duplicated) section with additional guidance and sample code. Please confirm whether the intent is to only add a short note, or to replace/expand the existing mixing section (and update the content accordingly).
| IdentityServer in the service provider (e.g. in `ConfigureServices`). | ||
|
|
||
| :::note | ||
| IdentityServer requires a `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model, you will also need to add a `ICorsPolicyService` implementation for any CORS settings on the IdentityServer endpoints. |
There was a problem hiding this comment.
The :::note admonition opened here is never closed with :::. As a result, the following headings/content will render inside the note (and may break page structure). Close the note after the intended paragraph (and add a blank line) before starting the next section.
| IdentityServer requires a `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model, you will also need to add a `ICorsPolicyService` implementation for any CORS settings on the IdentityServer endpoints. | |
| IdentityServer requires a `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model, you will also need to add a `ICorsPolicyService` implementation for any CORS settings on the IdentityServer endpoints. | |
| ::: |
|
|
||
| :::note | ||
| IdentityServer requires a `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model, you will also need to add a `ICorsPolicyService` implementation for any CORS settings on the IdentityServer endpoints. | ||
| ## Mixing IdentityServer's CORS Policy With ASP.NET Core's CORS Policies |
There was a problem hiding this comment.
This page already contains a ## Mixing IdentityServer's CORS Policy With ASP.NET Core's CORS Policies section earlier. Adding another section with the same heading will be confusing and creates duplicated guidance; consider extending the existing section instead (or rename this new section to avoid duplication).
| ## Mixing IdentityServer's CORS Policy With ASP.NET Core's CORS Policies | |
| ## IdentityServer CORS Services and Custom Policy Providers |
Added a note to the end of
~/identityserver/tokens/cors.mdto clarify thatICorsPolicyServiceis required for CORS on IdentityServer hosted endpoints