Azure API管理- CORS问题

Azure API Management - CORS issue

本文关键字:CORS 问题 管理 API Azure      更新时间:2023-09-26

在Azure API管理的最顶层范围内提供以下CORS策略:

<policies>
        <inbound>
            <cors>
                <allowed-origins>
                    <origin>*</origin>
                </allowed-origins>
                <allowed-methods>
                    <method>*</method>
                </allowed-methods>
                <allowed-headers>
                    <header>*</header>
                </allowed-headers>
                <expose-headers>
                    <header>*</header>
                </expose-headers>
            </cors>
        </inbound>
        <backend>
            <forward-request />
        </backend>
        <outbound />
    </policies>

在使用:

    var xhr = new XMLHttpRequest();
    xhr.open('GET', 'https://mydomain.azure-api.net/calc/add?a=5&b=5');                 
    xhr.send();

原始请求:

    GET https://mydomain.azure-api.net/calc/add?a=5&b=5 HTTP/1.1
    Host: mydomain.azure-api.net
    Connection: keep-alive
    Origin: https://any.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36
    Accept: */*
    Referer: https://any.com/
    Accept-Encoding: gzip, deflate, sdch, br
    Accept-Language: en-US,en;q=0.8,de;q=0.6,pl;q=0.4

我收到错误信息:

XMLHttpRequest cannot load https://mydomain.azure-api.net/calc/add?a=5&b=5. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://any.com' is therefore not allowed access. The response had HTTP status code 401.

原始反应:

    HTTP/1.1 401 Access Denied
    Content-Length: 152
    Content-Type: application/json
    WWW-Authenticate: AzureApiManagementKey realm="https://mydomain.azure-api.net/calc",name="Ocp-Apim-Subscription-Key",type="header"
    Date: Fri, 04 Nov 2016 09:31:15 GMT
    { "statusCode": 401, "message": "Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API." }

只要我使用正确的api键:

    var xhr = new XMLHttpRequest();
    xhr.open('GET', 'https://mydomain.azure-api.net/calc/add?a=5&b=5');     
    xhr.setRequestHeader('Ocp-Apim-Subscription-Key', '**********************');
    xhr.send();

原始请求:

    GET https://mydomain.azure-api.net/calc/add?a=5&b=5 HTTP/1.1
    Host: mydomain.azure-api.net
    Connection: keep-alive
    Origin: https://any.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36
    Ocp-Apim-Subscription-Key: **********************
    Accept: */*
    Referer: https://any.com/
    Accept-Encoding: gzip, deflate, sdch, br
    Accept-Language: en-US,en;q=0.8,de;q=0.6,pl;q=0.4

我收到成功消息。

原始反应:

    HTTP/1.1 200 OK
    Cache-Control: no-cache
    Pragma: no-cache
    Content-Length: 123
    Content-Type: application/xml; charset=utf-8
    Expires: -1
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Access-Control-Allow-Origin: *
    Access-Control-Expose-Headers: Content-Length,Date,Server,X-AspNet-Version,X-Powered-By
    Date: Fri, 04 Nov 2016 09:34:44 GMT
    <result><value>10</value><broughtToYouBy>Azure API Management - http://azure.microsoft.com/apim/ </broughtToYouBy></result>

问题:

在我看来,只有在提供不正确/没有API密钥时才会发生CORS问题,这是Azure API管理的预期行为吗?

简而言之,是的,我不确定这是正确的错误消息,显示然而,API管理解决方案是基于订阅id和密钥就像一个正常的API,所以我不希望它工作时,你不传递所需的信息。

这在不同的实例中也发生过。我试图访问一个错误的端点,仍然在浏览器上收到相同的CORS问题。当我尝试通过Postman进行相同的呼叫时,它给了我未发现异常的资源。未找到资源/无效JWT/JWT验证失败,控制台日志中给出了CORS错误。它正确地给出未经授权的错误或正确地给出500内部错误。我验证了Postman上的实际响应,并尝试在此之后修复它。

相关文章: