http://identitymodel.codeplex.com/
https://identityserver.github.io/
Windows Identity Foundation
6.1.7600.16394
Windows Identity Foundation enables .NET developers to externalize identity logic from their application, improving developer productivity, enhancing application security, and enabling interoperable federation. Enjoy greater productivity, applying the same tools and programming model to build on-premises software as well as cloud services. Create more secure applications by reducing custom implementations and using a single simplified identity model based on claims. Enjoy greater flexibility in application deployment through interoperability based on industry standard protocols, allowing applications and identity infrastructure services to communicate via claims.
To install Windows Identity Foundation, run the following command in the Package Manager Console
CORS support in WebAPI, MVC and IIS with Thinktecture.IdentityModel
My second contribution to the Thinktecture.IdentityModel security library is a full-featured CORS implementation. Many other sample implementations only emit the Access-Control-Allow-Origin header, but there’s more to it than that. The implementation in Thinktecture.IdentityModel follows the W3C Working Draft 3 from April 2012. There is a rich configuration API to control the various settings that are involved with CORS. These settings include which resource you want to configure, which origins are allowed, which HTTP methods are allowed, which request and/or response headers are allowed and are cookies allowed.
In this first release there is support for WebAPI, ASP.NET MVC and IIS. For WebAPI you configure your settings per controller. For MVC you can configure the settings per controller or for specific controller actions. For IIS you configure the settings per URL. If there’s enough interest, then perhaps in a future version I can add support for WCF REST and WCF Data Services.
I won’t bother explaining CORS since there are already enough posts on it elsewhere. Instead I’ll just show how to get started with the library. First, reference the NuGet package. Next, depending on the type of application (WebAPI, MVC or IIS) you need to configure how you want CORS support. Below shows each of the different environments:
WebAPI
In WebAPI the implementation is a delegating handler. This allows the CORS settings to be global or per-route (which is forthcoming post-RC). For example if you were to configure it globally then in global.asax‘s Application_Start you would have a call out to the configuration class passing the global HttpConfiguration object (this follows the new style of factoring out configuration to separate classes in the App_Start folder):
1 2 3 4 5 6 |
|
And then in App_Start/CorsConfig.cs:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
|
In WebAPI resources are identified by the controller name as in the above example for the“Products” controller.
MVC
In MVC you need to register a HttpModule to enable CORS support, so in web.config:
1 2 3 4 5 6 |
|
And then again in global.asax you would configure the settings:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
|
In MVC resources can either be identified just by the controller name (with just “Controller” for the resource name) or by the controller and action (as with the above sample with the“Controller.Action” syntax).
IIS
In IIS you need to register a HttpModule (different than the one for MVC), so in web.config:
1 2 3 4 5 6 |
|
And then again in global.asax you would configure the settings:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
|
In IIS resources are identified by the application relative path (thus the “~/path/resource”syntax).
Other Configuration Options
While the above samples show a minimal amount of code to get CORS enabled and running in your app, these are some of the least restrictive settings. Typically more thought should go into the settings and so there is a rich API for configuring the various CORS settings. Here are some more examples:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
|
Of course, feedback is welcome. Enjoy.
Edit: Common configuration issues when enabling CORS on IIS.