Skip to content

Clarify ICorsPolicyService is needed for CORS on IdentityServer endpoints #1073

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ProgrammerAL merged 4 commits into from
Apr 27, 2026
Merged

Clarify ICorsPolicyService is needed for CORS on IdentityServer endpoints #1073

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c28a46a
Added note to clarify `ICorsPolicyService` is needed to setup CORS on…
ProgrammerAL Apr 24, 2026
005ee2a
Fixed document link to full path, not relative
ProgrammerAL Apr 24, 2026
dc41160
Update astro/src/content/docs/identityserver/tokens/cors.md
ProgrammerAL Apr 27, 2026
86dbfcc
Updated CORS page after a weird merge through GitHub web portal
ProgrammerAL Apr 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 28 additions & 21 deletions astro/src/content/docs/identityserver/tokens/cors.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,24 +72,31 @@ Use `AllowAll` with caution.

## Mixing IdentityServer's CORS Policy With ASP.NET Core's CORS Policies

IdentityServer uses the CORS middleware from ASP.NET Core to provide its CORS implementation.
It is possible that your application that hosts IdentityServer might also require CORS for its own custom endpoints.
In general, both should work together in the same application, providing the call to `app.UseCors("mypolicy");` is
called after the call to `app.UseIdentityServer();`.

Your code should use the documented CORS features from ASP.NET Core without regard to IdentityServer.
This means you should define policies and register the middleware as normal.
If your application defines policies in `ConfigureServices`, then those should continue to work in the same places you
are using them (either where you configure the CORS middleware or where you use the MVC `EnableCors` attributes in your
controller code).
If instead you define an inline policy in the use of the CORS middleware (via the policy builder callback), then that
too should continue to work normally.

The one scenario where there might be a conflict between your use of the ASP.NET Core CORS services and IdentityServer
is if you decide to create a custom `ICorsPolicyProvider`.
Given the design of the ASP.NET Core's CORS services and middleware, IdentityServer implements its own custom
`ICorsPolicyProvider` and registers it in the ASP.NET Core service provider.
Fortunately, the IdentityServer implementation is designed to use the decorator pattern to wrap any existing
`ICorsPolicyProvider` that is already registered in the service provider.
What this means is that you can also implement the `ICorsPolicyProvider`, but it needs to be registered prior to
IdentityServer in the service provider (e.g. in `ConfigureServices`).
Duende IdentityServer builds upon the standard ASP.NET Core CORS middleware. If your application needs to support CORS for both IdentityServer endpoints and your own custom API endpoints, they can coexist by following these integration rules.

### Middleware Registration Order

For both systems to function correctly, the order of registration in your middleware pipeline is important. Always place the standard CORS middleware *after* the IdentityServer middleware:

```csharp
Copy link

Copilot AI Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docs convention: code blocks should include a file title (e.g., // Program.cs as the first line, or a title="..." attribute). This snippet currently has neither, unlike the earlier example in this same page.

Suggested change
```csharp
```csharp title="Program.cs"

Copilot uses AI. Check for mistakes.
app.UseIdentityServer();
app.UseCors("MyCustomPolicy"); // Must come after IdentityServer
```

### Custom CORS Policies

You should continue to use ASP.NET Core CORS features exactly as documented by Microsoft. Your existing configurations will not interfere with IdentityServer:

* **Named Policies:** Policies defined in `AddCors` and referenced via `[EnableCors]` attributes or middleware will work as expected.
* **Inline Policies:** Defining a policy directly within `app.UseCors(builder => ...)` is fully supported.

### Advanced Customization: `ICorsPolicyProvider`

The only potential conflict occurs if you implement a custom [`ICorsPolicyProvider`](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.cors.infrastructure.icorspolicyprovider).

IdentityServer registers its own `ICorsPolicyProvider` to handle its internal endpoints, such as the [token](/identitymodel/endpoints/token.md) and [user info](/identitymodel/endpoints/userinfo.md) endpoints. To ensure both your custom logic and IdentityServer's logic run:

1. **Register your `ICorsPolicyProvider` first:** Register your custom provider in `ConfigureServices` *before* calling `AddIdentityServer`.
2. **The Decorator Pattern:** IdentityServer automatically detects your provider and wraps it. It will consult your provider first; if your provider doesn't handle the request, IdentityServer will then apply its own logic.

Note that while ASP.NET Core manages the middleware, IdentityServer uses an internal service called [`ICorsPolicyService`](/identityserver/reference/stores/cors-policy-service.md) to decide which origins are allowed to access its specific endpoints. If you prefer to use the ASP.NET Core CORS Policy programming model for everything, you will need to provide a custom `ICorsPolicyService` implementation that bridges your ASP.NET Core settings to IdentityServer's endpoints.
Loading