Skip to content

Clarify ICorsPolicyService is needed for CORS on IdentityServer endpoints #1073

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ProgrammerAL merged 4 commits into from
Apr 27, 2026
Merged

Clarify ICorsPolicyService is needed for CORS on IdentityServer endpoints #1073

Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c28a46a
Added note to clarify `ICorsPolicyService` is needed to setup CORS on…
ProgrammerAL Apr 24, 2026
005ee2a
Fixed document link to full path, not relative
ProgrammerAL Apr 24, 2026
dc41160
Update astro/src/content/docs/identityserver/tokens/cors.md
ProgrammerAL Apr 27, 2026
86dbfcc
Updated CORS page after a weird merge through GitHub web portal
ProgrammerAL Apr 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions astro/src/content/docs/identityserver/tokens/cors.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,3 +93,36 @@ Fortunately, the IdentityServer implementation is designed to use the decorator
`ICorsPolicyProvider` that is already registered in the service provider.
What this means is that you can also implement the `ICorsPolicyProvider`, but it needs to be registered prior to
IdentityServer in the service provider (e.g. in `ConfigureServices`).

:::note
IdentityServer requires a `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model, you will also need to add a `ICorsPolicyService` implementation for any CORS settings on the IdentityServer endpoints.
Copy link

Copilot AI Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wording: use "an ICorsPolicyService" (not "a") in both occurrences on this line.

Suggested change
IdentityServer requires a `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model, you will also need to add a `ICorsPolicyService` implementation for any CORS settings on the IdentityServer endpoints.
IdentityServer requires an `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model, you will also need to add an `ICorsPolicyService` implementation for any CORS settings on the IdentityServer endpoints.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sentence reads like the host application must provide a custom ICorsPolicyService for IdentityServer endpoints. Since IdentityServer registers a default ICorsPolicyService (e.g., from in-memory/EF client stores), consider rephrasing to clarify that IdentityServer uses ICorsPolicyService for its hosted endpoints, and that you only need to implement one when you want to customize/bridge from ASP.NET Core CORS policies.

Suggested change
IdentityServer requires a `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model, you will also need to add a `ICorsPolicyService` implementation for any CORS settings on the IdentityServer endpoints.
IdentityServer uses an `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model for those IdentityServer endpoints, you only need to add a custom `ICorsPolicyService` implementation when you want to bridge or customize those settings.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The :::note admonition opened here is never closed with :::. As a result, the following headings/content will render inside the note (and may break page structure). Close the note after the intended paragraph (and add a blank line) before starting the next section.

Suggested change
IdentityServer requires a `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model, you will also need to add a `ICorsPolicyService` implementation for any CORS settings on the IdentityServer endpoints.
IdentityServer requires a `ICorsPolicyService` implementation to control CORS for the endpoints it hosts, like the [OIDC Token](/identitymodel/endpoints/token.md) and [OIDC UserInfo](/identitymodel/endpoints/userinfo.md) endpoints. If you prefer to use ASP.NET Core's CORS Policy programming model, you will also need to add a `ICorsPolicyService` implementation for any CORS settings on the IdentityServer endpoints.
:::

Copilot uses AI. Check for mistakes.
## Mixing IdentityServer's CORS Policy With ASP.NET Core's CORS Policies
Copy link

Copilot AI Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This page already contains a ## Mixing IdentityServer's CORS Policy With ASP.NET Core's CORS Policies section earlier. Adding another section with the same heading will be confusing and creates duplicated guidance; consider extending the existing section instead (or rename this new section to avoid duplication).

Suggested change
## Mixing IdentityServer's CORS Policy With ASP.NET Core's CORS Policies
## IdentityServer CORS Services and Custom Policy Providers

Copilot uses AI. Check for mistakes.

Duende IdentityServer builds upon the standard ASP.NET Core CORS middleware. If your application needs to support CORS for both IdentityServer endpoints and your own custom API endpoints, they can coexist by following these integration rules.

### Middleware Registration Order

For both systems to function correctly, the order of registration in your middleware pipeline is important. Always place the standard CORS middleware *after* the IdentityServer middleware:
Copy link

Copilot AI Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description says this change adds a note clarifying ICorsPolicyService for IdentityServer-hosted endpoints, but the diff also adds an entire new (duplicated) section with additional guidance and sample code. Please confirm whether the intent is to only add a short note, or to replace/expand the existing mixing section (and update the content accordingly).

Copilot uses AI. Check for mistakes.

```csharp
Copy link

Copilot AI Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docs convention: code blocks should include a file title (e.g., // Program.cs as the first line, or a title="..." attribute). This snippet currently has neither, unlike the earlier example in this same page.

Suggested change
```csharp
```csharp title="Program.cs"

Copilot uses AI. Check for mistakes.
app.UseIdentityServer();
app.UseCors("MyCustomPolicy"); // Must come after IdentityServer
```

### Custom CORS Policies

You should continue to use ASP.NET Core CORS features exactly as documented by Microsoft. Your existing configurations will not interfere with IdentityServer:

* **Named Policies:** Policies defined in `AddCors` and referenced via `[EnableCors]` attributes or middleware will work as expected.
* **Inline Policies:** Defining a policy directly within `app.UseCors(builder => ...)` is fully supported.

### Advanced Customization: `ICorsPolicyProvider`

The only potential conflict occurs if you implement a custom [`ICorsPolicyProvider`](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.cors.infrastructure.icorspolicyprovider).

IdentityServer registers its own `ICorsPolicyProvider` to handle its internal endpoints, such as the [token](/identitymodel/endpoints/token.md) and [user info](/identitymodel/endpoints/userinfo.md) endpoints. To ensure both your custom logic and IdentityServer's logic run:

1. **Register your `ICorsPolicyProvider` first:** Register your custom provider in `ConfigureServices` *before* calling `AddIdentityServer`.
2. **The Decorator Pattern:** IdentityServer automatically detects your provider and wraps it. It will consult your provider first; if your provider doesn't handle the request, IdentityServer will then apply its own logic.

Note that while ASP.NET Core manages the middleware, IdentityServer uses an internal service called [`ICorsPolicyService`](/identityserver/reference/stores/cors-policy-service.md) to decide which origins are allowed to access its specific endpoints. If you prefer to use the ASP.NET Core CORS Policy programming model for everything, you will need to provide a custom `ICorsPolicyService` implementation that bridges your ASP.NET Core settings to IdentityServer's endpoints.
Loading