Azure AD B2C - CORS Policy Issue for Multi App Services

问题

The bounty expires in 3 days. Answers to this question are eligible for a +50 reputation bounty. immayankmodi is looking for an answer from a reputable source:

Need to fix above issue on Azure.

I've 2 projects: Project1 is main app (localhost:4016) Project2 is child app (localhost:4055) and sharing authorization token cookies between 2 projects.

It's working fine locally but not working while hosted on Azure. Getting following error:

Access to XMLHttpRequest at 'https://devplatform.b2clogin.com/devplatform.onmicrosoft.com/b2c_1_sign_in/oauth2/v2.0/authorize?client_id=XXXX&redirect_uri=https://myapps.example.com/home/index ...' (redirected from 'https://www.example.com/api/home/getlist') from origin 'https://www.example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I'm using following OpenIdConnect for Azure AD B2C Authentication in multiple projects.

public void ConfigureAuth(IAppBuilder app) {
    // Required for Azure webapps, as by default they force TLS 1.2 and this project attempts 1.0
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

    app.UseCookieAuthentication(new CookieAuthenticationOptions() {
        //locally it'll keep redirecting infinitely
        CookieDomain = ".example.com" //only required when we host it to keep persist cookies
    });

    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions {
        // Generate the metadata address using the tenant and policy information
        MetadataAddress = String.Format(Globals.WellKnownMetadata, Globals.Tenant, Globals.DefaultPolicy),

        // These are standard OpenID Connect parameters, with values pulled from web.config
        ClientId = Globals.ClientId,
        RedirectUri = Globals.RedirectUri,
        PostLogoutRedirectUri = Globals.RedirectUri,

        // Specify the callbacks for each type of notifications
        Notifications = new OpenIdConnectAuthenticationNotifications {
            RedirectToIdentityProvider = OnRedirectToIdentityProvider,
            AuthorizationCodeReceived = OnAuthorizationCodeReceived,
            AuthenticationFailed = OnAuthenticationFailed,
        },

        // Specify the claim type that specifies the Name property.
        TokenValidationParameters = new TokenValidationParameters {
            NameClaimType = "name",
            ValidateIssuer = false
        },

        // Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
        Scope = $"openid profile offline_access {Globals.ReadTasksScope} {Globals.WriteTasksScope}"
        }
    );
}

If I do redirection on authentication failed event, get the nonce error as follows:

IDX21323: RequireNonce is ‘[PII is hidden by default. Set the ‘ShowPII’ flag in IdentityModelEventSource.cs to true to reveal it.]’. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don’t need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to ‘false’. Note if a ‘nonce’ is found it will be evaluated.

I can disable it by following statement:

ProtocolValidator = new OpenIdConnectProtocolValidator() { RequireNonce = false }

But it introduced following error:

IDX21329: RequireState is '[PII is hidden]' but the OpenIdConnectProtocolValidationContext.State is null. State cannot be validated.

I tried to disable that by following statement but still same issue.

ProtocolValidator = new OpenIdConnectProtocolValidator() { RequireNonce = false, RequireState = false }

来源：https://stackoverflow.com/questions/62329703/azure-ad-b2c-cors-policy-issue-for-multi-app-services