(616) 371-1037

[email protected]

Breaking change in AspNetCore 2.2 for SignalR and CORS

December 6, 2018 - John Waters


To get authenticated SignalR hubs to work, you need to allow credentials in CORS, so your aspnetcore code might look like this:

As of 2.2. you can no longer combine AllowAnyOrigin and AllowCredentials! You will see a warning in the debug output:

This warning actually breaks SignalR – the preflight OPTIONS request fails, and POST /<hubname>/negotiate never happens. Your clients no longer connect to your hubs.

I was able to fix this by spelling out the allowed origins instead (I actually put the allowed origin in appSettings, and read from there, so it can vary for local dev, test and prod) :

Sneaky change! Hope this helps you! You can find a wealth of info on CORS and AspNetCore here.

John Waters

4 thoughts on “Breaking change in AspNetCore 2.2 for SignalR and CORS

  • Mikhail

    March 3, 2019 at 2:20 am


  • Dev

    March 25, 2019 at 9:24 am

    Hey John,

    Facing same error.

    I have three different projects
    1. Web
    2. API
    3. SignalR Hub (class library)

    Its working file while I access SignalR from web, however, while requesting API project from other machine gives me warning as same you mentioned in the above post.

    But I couldn’t figure out that which URL I do need to pass in .WithOrigins()

    Could you please let me know?

    • John Waters

      April 3, 2019 at 12:59 pm

      I added a configuration item to appSettings.json, something like:

      "System": {
      "ApiUrl": "https://localhost:44319/api",
      "WebUrl": "http://localhost:4200",
      "AllowedOrigins": "http://localhost:4400,http://localhost:4300"

      I read this in Startup, and build a list of allowed origins (which also includes another URL, systemOptions.WebUrl, because my API need to know that URL for other reasons)

      var allowedOrigins = new List();
      if (!string.IsNullOrEmpty(systemOptions.WebUrl))
      if (systemOptions.AllowedOrigins != null)
      var additionalOrigins = systemOptions.AllowedOrigins.Split(",", StringSplitOptions.RemoveEmptyEntries);
      services.AddCors(action =>
      builder =>

      In development I add localhost origins used when debugging. In Prod, the only allowed one ends up being the one I store in WebURL.

  • Joshua Ryder

    April 29, 2019 at 9:55 am

    I fucking love you 😀
    Had an old blog post about signalr and wanted to update my code sample to newest versions. Then it all stopped working…. This post got it back on track again 🙂


Leave a comment

Your email address will not be published. Required fields are marked *