There are several ways to accomplish this, other answers can be found on this similar question –> Angular4 ASP.NET Core 1.2 Windows Authentication CORS for PUT and POST Gives 401
CORS Module
It is possible to configure IIS by using the CORS Module.
As seen here: https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module
And further information available here: https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module
The IIS CORS module is designed to handle the CORS preflight requests
before other IIS modules handle the same request. The OPTIONS requests
are always anonymous, so CORS module provides IIS servers a way to
correctly respond to the preflight request even if anonymous
authentification needs to be disabled server-wise.
You will need to enable the CORS Module via the Webconfig:
<?xml version="1.0"?>
<configuration>
<system.webServer>
<cors enabled="true">
<add origin="*" allowCredentials="true" />
</cors>
</system.webServer>
</configuration>
for more granular control:
<?xml version="1.0"?>
<configuration>
<system.webServer>
<cors enabled="true">
<add origin="https://readonlyservice.constoso.com" allowCredentials="true">
<allowMethods>
<add method="GET" />
<add method="HEAD" />
</allowMethods>
<allowHeaders>
<add header="content-type" />
<add header="accept" />
</allowHeaders>
</add>
<add origin="https://readwriteservice.constoso.com" allowCredentials="true">
<allowMethods>
<add method="GET" />
<add method="HEAD" />
<add method="POST" />
<add method="PUT" />
<add method="DELETE" />
</allowMethods>
</add>
</cors>
</system.webServer>
</configuration>
Redirect OPTIONS
You can redirect all OPTIONS requests to always give an OK status.
This will however subvert the entire idea of a preflight request, so use this only if it’s applicable to your situation.
Install the redirect module in IIS.
Add the following redirect to your Webconfig.
<rewrite>
<rules>
<rule name="CORS Preflight Anonymous Authentication" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{REQUEST_METHOD}" pattern="^OPTIONS$" />
</conditions>
<action type="CustomResponse" statusCode="200" statusReason="Preflight" statusDescription="Preflight" />
</rule>
</rules>
</rewrite>
Middleware
Alternatively the desired result can be achieved by enabling anonymous authentication in IIS and creating a middleware in the Net Core API that checks if a person is properly authenticated.
Middleware:
public AuthorizationMiddleware(RequestDelegate next, ILogger logger)
{
_next = next;
_log = logger;
}
public async Task Invoke(HttpContext httpContext)
{
//Allow OPTIONS requests to be anonymous
if (httpContext.Request.Method != "OPTIONS" && !httpContext.User.Identity.IsAuthenticated)
{
httpContext.Response.StatusCode = 401;
await httpContext.Response.WriteAsync("Not Authenticated");
}
await _next(httpContext);
}