Open Closed

CORS Error When Accessing OpenID Configuration on Production (IIS) #9847


User avatar
0
mohd.s.alsadi@gmail.com created

When accessing https://serverName:1661/.well-known/openid-configuration from a frontend hosted at http://serverName:1660 in a production IIS environment, the request is blocked due to a CORS policy error stating that the response lacks the Access-Control-Allow-Origin header. This issue only occurs in production and not during development. It likely requires proper CORS configuration on the backend IIS server (port 1661) to allow cross-origin requests from the frontend origin.


1 Answer(s)
  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent

    To resolve the CORS error when accessing the OpenID configuration endpoint from your frontend, you need to ensure that the backend (on port 1661) is configured to allow cross-origin requests from your frontend (on port 1660). In ABP-based applications, this is typically managed via the CorsOrigins setting and middleware configuration.

    Steps to fix:

    1. Update appsettings.json on the backend (port 1661): Make sure the CorsOrigins property includes your frontend's origin. For your scenario:
    "App": {
         "CorsOrigins": "http://serverName:1660"
       }
    
    • If you have multiple allowed origins, separate them with commas and do not include trailing slashes.
    1. Ensure CORS middleware is enabled: In your module's OnApplicationInitialization method, ensure you have:
    app.UseCors();
    
    • This should be placed before app.UseAuthentication() and app.UseAuthorization().
    1. Restart the backend application after making these changes.

    2. If using IIS, no additional IIS-specific CORS configuration is needed if the ABP CORS middleware is active and correctly configured.

    3. Verify: After deployment, use browser dev tools to check that the Access-Control-Allow-Origin header is present in responses from https://serverName:1661/.well-known/openid-configuration when requested from your frontend.

    Note: If you are using a reverse proxy or load balancer, ensure it does not strip CORS headers.

    Sources:

    • https://abp.io/docs/latest/solution-templates/microservice/cors-configuration

    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.0.0-preview. Updated on September 01, 2025, 08:37