I am currently working on an ASP.NET Core web application that serves as a Blazor app. This application communicates with backend SAP APIs over SOAP. To mitigate Cross-Origin Resource Sharing (CORS) issues, I’ve implemented a YARP ReverseProxy layer between my application and the backend APIs.
However, there’s a challenge: I have to pass the credentials as a part of the Authorization header in order to get authenticated. The APIs also support the SSO, so my expectation is if I dont send the credentials as a part of header it should be automatically be redirecting it to Microsoft login and login the user and callback the app.
My main application runs on localhost:6799, while the YARP ReverseProxy operates on localhost:6899.
When I make the backend API call from the application I get below error:
Access to fetch at 'https://login.microsoftonline.com/(the token data)'(redirected from'https://localhost:6899/') from origin 'http://localhost:6799' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
I am not sure how do I mitigate the error of the CORS in this case of ReverseProxy?
What I truly desire is for the YARP ReverseProxy to handle authentication details transparently after the initial SSO and callback. Once authenticated, subsequent API requests should flow seamlessly through the YARP ReverseProxy without involving the application.
In summary, we need to configure the YARP ReverseProxy to manage authentication and relay authentication information effectively. By doing so, we can ensure a secure and efficient communication channel between our application and the backend SAP services.