I have an MVC site deployed to "mysite.mydomain.com" that authenticates with ADFS and creates an auth cookie:
public partial class Startup
{
public void ConfigureUserAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(WsFederationAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
});
app.UseWsFederationAuthentication(
new WsFederationAuthenticationOptions
{
MetadataAddress = ConfigurationManager.AppSettings["adsfs.MetadataAddress"],
Wtrealm = ConfigurationManager.AppSettings["adsfs.Wtrealm"]
});
}
}
There is also a WebAPI site deployed to "myapi.mydomain.com" with CORS enabled:
GlobalConfiguration.Configuration.EnableCors(new EnableCorsAttribute("https://mysite.mydomain.com", "*", "*") { SupportsCredentials = true });
The user goes to mysite.mydomain.com. The MVC site is authenticated against ADFS and I see that the auth cookie is not set.
My application is mainly SPA, so from javascript there, AJAX calls myapi.mydomain.com using jQuery, setting the withCredentials parameter to true:
$.ajaxSetup({
xhrFields: { withCredentials: true }
});
It is assumed that these parameters should send security credentials (cookies) to the API. At runtime, I don’t see cookies being set in the API, and I get error 401 (unaronized) as expected.
localhost ( , , ), , cookie, API, . - , (localhost), "mysite" "myapi".
?