September 27, 2021
Protecting Legacy .NET APIs with modern IdentityServer Tokens
To get authenticated SignalR hubs to work, you need to allow credentials in CORS, so your aspnetcore code might look like this:
services.AddCors(action => action.AddPolicy(policyName, builder => builder .AllowAnyMethod() .AllowAnyHeader() .AllowAnyOrigin() .AllowCredentials()));
As of 2.2. you can no longer combine AllowAnyOrigin and AllowCredentials! You will see a warning in the debug output:
warn: Microsoft.AspNetCore.Cors.Infrastructure.CorsService The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time. Configure the policy by listing individual origins if credentials needs to be supported.
This warning actually breaks SignalR – the preflight OPTIONS request fails, and POST /<hubname>/negotiate never happens. Your clients no longer connect to your hubs.
I was able to fix this by spelling out the allowed origins instead (I actually put the allowed origin in appSettings, and read from there, so it can vary for local dev, test and prod) :
services.AddCors(action => action.AddPolicy(policyName, builder => builder .AllowAnyMethod() .AllowAnyHeader() .WithOrigins("https://portal.northstar.app") .AllowCredentials()));
Sneaky change! Hope this helps you! You can find a wealth of info on CORS and AspNetCore here.