|
| 1 | +--- |
| 2 | +title: Understand and solve Azure AD Application Proxy CORS issues |
| 3 | +description: Provides an understanding of CORS in Azure AD Application Proxy, and how to identify and solve CORS issues. |
| 4 | +services: active-directory |
| 5 | +author: jeevanbisht |
| 6 | +manager: mtillman |
| 7 | +ms.service: active-directory |
| 8 | +ms.subservice: app-mgmt |
| 9 | +ms.workload: identity |
| 10 | +ms.topic: conceptual |
| 11 | +ms.date: 05/23/2019 |
| 12 | +ms.author: celested |
| 13 | +ms.reviewer: japere |
| 14 | +--- |
| 15 | + |
| 16 | +# Understand and solve Azure Active Directory Application Proxy CORS issues |
| 17 | + |
| 18 | +[Cross-origin resource sharing (CORS)](http://www.w3.org/TR/cors/) can sometimes present challenges for the apps and APIs you publish through the Azure Active Directory Application Proxy. This article discusses Azure AD Application Proxy CORS issues and solutions. |
| 19 | + |
| 20 | +Browser security usually prevents a web page from making AJAX requests to another domain. This restriction is called the *same-origin policy*, and prevents a malicious site from reading sensitive data from another site. However, sometimes you might want to let other sites call your web API. CORS is a W3C standard that lets a server relax the same-origin policy and allow some cross-origin requests while rejecting others. |
| 21 | + |
| 22 | +## Understand and identify CORS issues |
| 23 | + |
| 24 | +Two URLs have the same origin if they have identical schemes, hosts, and ports ([RFC 6454](https://tools.ietf.org/html/rfc6454)), such as: |
| 25 | + |
| 26 | +- http:\//contoso.com/foo.html |
| 27 | +- http:\//contoso.com/bar.html |
| 28 | + |
| 29 | +The following URLs have different origins than the previous two: |
| 30 | + |
| 31 | +- http:\//contoso.net - Different domain |
| 32 | +- http:\//contoso.com:9000/foo.html - Different port |
| 33 | +- https:\//contoso.com/foo.html - Different scheme |
| 34 | +- http:\//www.contoso.com/foo.html - Different subdomain |
| 35 | + |
| 36 | +Same-origin policy prevents apps from accessing resources from other origins unless they use the correct access control headers. If the CORS headers are absent or incorrect, cross-origin requests fail. |
| 37 | + |
| 38 | +You can identify CORS issues by using browser debug tools: |
| 39 | + |
| 40 | +1. Launch the browser and browse to the web app. |
| 41 | +1. Press **F12** to bring up the debug console. |
| 42 | +1. Try to reproduce the transaction, and review the console message. A CORS violation produces a console error about origin. |
| 43 | + |
| 44 | +In the following screenshot, selecting the **Try It** button caused a CORS error message that https:\//corswebclient-contoso.msappproxy.net wasn't found in the Access-Control-Allow-Origin header. |
| 45 | + |
| 46 | + |
| 47 | + |
| 48 | +## CORS challenges with Application Proxy |
| 49 | + |
| 50 | +The following example shows a typical Azure AD Application Proxy CORS scenario. The internal server hosts a **CORSWebService** web API controller, and a **CORSWebClient** that calls **CORSWebService**. There's an AJAX request from **CORSWebClient** to **CORSWebService**. |
| 51 | + |
| 52 | + |
| 53 | + |
| 54 | +The CORSWebClient app works when you host it on-premises, but either fails to load or errors out when published through Azure AD Application Proxy. If you published the CORSWebClient and CORSWebService apps separately as different apps through Application Proxy, the two apps are hosted at different domains. An AJAX request from CORSWebClient to CORSWebService is a cross-origin request, and it fails. |
| 55 | + |
| 56 | + |
| 57 | + |
| 58 | +## Solutions for Application Proxy CORS issues |
| 59 | + |
| 60 | +You can resolve the preceding CORS issue in any one of several ways. |
| 61 | + |
| 62 | +### Option 1: Set up a custom domain |
| 63 | + |
| 64 | +Use an Azure AD Application Proxy [custom domain](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-custom-domains) to publish from the same origin, without having to make any changes to app origins, code, or headers. |
| 65 | + |
| 66 | +### Option 2: Publish the parent directory |
| 67 | + |
| 68 | +Publish the parent directory of both apps. This solution works especially well if you have only two apps on the web server. Instead of publishing each app separately, you can publish the common parent directory, which results in the same origin. |
| 69 | + |
| 70 | +The following examples show the portal Azure AD Application Proxy page for the CORSWebClient app. When the **Internal URL** is set to *contoso.com/CORSWebClient*, the app can't make successful requests to the *contoso.com/CORSWebService* directory, because they're cross-origin. |
| 71 | + |
| 72 | + |
| 73 | + |
| 74 | +Instead, set the **Internal URL** to publish the parent directory, which includes both the *CORSWebClient* and *CORSWebService* directories: |
| 75 | + |
| 76 | + |
| 77 | + |
| 78 | +The resulting app URLs effectively resolve the CORS issue: |
| 79 | + |
| 80 | +- https:\//corswebclient-contoso.msappproxy.net/CORSWebService |
| 81 | +- https:\//corswebclient-contoso.msappproxy.net/CORSWebClient |
| 82 | + |
| 83 | +### Option 3: Update HTTP headers |
| 84 | + |
| 85 | +Add a custom HTTP response header on the web service to match the origin request. For websites running in Internet Information Services (IIS), use IIS Manager to modify the header: |
| 86 | + |
| 87 | + |
| 88 | + |
| 89 | +This modification doesn't require any code changes. You can verify it in the Fiddler traces: |
| 90 | + |
| 91 | +**Post the Header Addition**\ |
| 92 | +HTTP/1.1 200 OK\ |
| 93 | +Cache-Control: no-cache\ |
| 94 | +Pragma: no-cache\ |
| 95 | +Content-Type: text/plain; charset=utf-8\ |
| 96 | +Expires: -1\ |
| 97 | +Vary: Accept-Encoding\ |
| 98 | +Server: Microsoft-IIS/8.5 Microsoft-HTTPAPI/2.0\ |
| 99 | +**Access-Control-Allow-Origin: https://corswebclient-contoso.msappproxy.net**\ |
| 100 | +X-AspNet-Version: 4.0.30319\ |
| 101 | +X-Powered-By: ASP.NET\ |
| 102 | +Content-Length: 17 |
| 103 | + |
| 104 | +### Option 4: Modify the app |
| 105 | + |
| 106 | +You can change your app to support CORS by adding the Access-Control-Allow-Origin header, with appropriate values. The way to add the header depends on the app's code language. Changing the code is the least recommended option, because it requires the most effort. |
| 107 | + |
| 108 | +### Option 5: Extend the lifetime of the access token |
| 109 | + |
| 110 | +Some CORS issues can't be resolved, such as when your app redirects to *login.microsoftonline.com* to authenticate, and the access token expires. The CORS call then fails. A workaround for this scenario is to extend the lifetime of the access token, to prevent it from expiring during a user’s session. For more information about how to do this, see [Configurable token lifetimes in Azure AD](../develop/active-directory-configurable-token-lifetimes.md). |
| 111 | + |
| 112 | +## See also |
| 113 | +- [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](application-proxy-add-on-premises-application.md) |
| 114 | +- [Plan an Azure AD Application Proxy deployment](application-proxy-deployment-plan.md) |
| 115 | +- [Remote access to on-premises applications through Azure Active Directory Application Proxy](application-proxy.md) |
0 commit comments