Access-Control-Allow-Credentials not set in credentialed CORS request
Not sure if this is a bug or a feature request. This is affecting me when using Azure Functions, but I beleive this has to do with the CORS implementation in Web Apps.
Basically, the Access-Control-Allow-Credentials header is not being set in response to credentialed requests.
Someone else posted this issue in the azure functions github, but @lindydonna said this was to do with Web Apps. Original github issue is here:
The problem is also documented on the official MS developer blog here:
Placing back as Under Review after discussion here in the comments, over GitHub and internally in the team. We will share more when we have a clear approach and timeline.
I am also hit by this issue but with a web app. The CORS functionality in Azure currently seems broken if one wants their application to be secured with Azure AD. How do people develop Angular apps locally when it seems completely impossible to connect to the backend.
Chris Gillum (MSFT) commented
Thanks everyone for the discussion and for the good points you have raised. We've moved this request back into the "Under Review" status and are currently discussing how and when to implement support for Access-Control-Allow-Credentials. No timelines we can share yet, but we agree that this feature is necessary.
Joshua Lloyd commented
If the portal "should not be used for CORS features", then how is it reasonable to offer a CORS configuration page for domains? This feature request is clearly for extending the support for CORS, since you've already developed partial support. If there was no support in Azure Portal at all for CORS I could reasonably understand your choice to decline. However, as it stands currently the CORS support in Azure Portal *IS* present, but is not complete. This request is to complete it. I decline your reason for declining. Please reconsider this issue. Currently, the portal is getting in the way of proper CORS responses since taking over the CORS response in user-code means working around the partial CORS support in the App Service/Portal.
Is there a consideration on adding the support for Credentials support in near future ? as it is most commonly used usecase.
Right now, I have resorted having an HttpModule to add required Cors Headers. https://davidsekar.com/asp-net/cors-with-credential-support-on-azure
Hoping for an official support soon...
Frank Hellwig commented
This was a real struggle for me as well... trying to leverage App Service Authentication / Authorization (Easy Auth) locally, during development and test for my Express API app running on my localhost.
I ended up writing an Express middleware module that works around this: https://www.npmjs.com/package/azure-easy-auth-local
While an Express/Node.js module, the concepts can be applied in other environments as well.
Rodolfo Grave commented
Same as above. The reasoning for closing this ticket doesn't make any sense to me.
Eric Jutrzenka commented
The article says that it is a known issue and that what is stated in the article is a work-around and breaks the portal functionality as you have to remove all origins. Also, this isn't just to do with the portal, the same problem arises when defining via an ARM template.
I don't understand what you're saying:
"We’re declining this feature request since the App Service (Web Apps) CORS feature doesn’t support “supports credentials."
Wasn't that what this request was for? To allow you to set it in the portal, so you don't have to do it manually?