CORS error when redirecting to client from API using OIDC and Microsoft SSO #fastapi #angular #sso #CORS

[codezard]

First Check

• I added a very descriptive title here.
• I used the GitHub search to find a similar question and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

• I commit to help with one of those options 👆

Example Code

origins = [
    # "https://localhost:4200",
        #    "https://localhost:4200/",
            "http://localhost",
            # "http://localhost:4200",
            "http://localhost:3000",
            "http://localhost:8000",
            "https://localhost:4200",
            "https://localhost:4200/",
            "https://localhost:8000",
            "https://localhost:8000/"]
app.add_middleware(
    CORSMiddleware,
    allow_origins=origins,
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*","http://localhost"],
)

# TODO: SSO endpoints here

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")

class UserInfo:
    name: Optional[str] = None
    email: Optional[str] = None
    given_name: Optional[str] = None
    surname: Optional[str] = None

@app.get("/Account/SpaLogin")
async def spa_login(spaUrl: Optional[str] = "https://localhost:4200"):
    logger.info("Running /Account/SpaLogin endpoint")
    try:
        logger.info(f"spaUrl: {spaUrl}")
    except:
        logger.info("Unable to print token and spaUrl")
    # if token:
    #     return {"message": "User is authenticated"}
    # else:
    return RedirectResponse(url=f"/Account/SpaRedirect?spaUrl={quote(spaUrl)}", status_code=status.HTTP_302_FOUND)

@app.get("/Account/SpaRedirect")
async def spa_redirect(spaUrl: Optional[str] = "https://localhost:4200"):
    return RedirectResponse(url=spaUrl)

Description

Access to XMLHttpRequest at 'https://localhost:4200/' (redirected from 'https://localhost:8000/Account/SpaLogin?spaUrl=https%3A%2F%2Flocalhost%3A4200%2F')) from origin 'https://localhost:4200' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Operating System

Windows

Operating System Details

Deploying frontend(angular) and python backend(fastapi) on Azure App Service

FastAPI Version

0.109.1

Pydantic Version

2.5.3

Python Version

Python 3.10.9

Additional Context

No response