(OrchardCore.OpenId) contains CORS metadata, but a middleware was not found that supports CORS.

[MikeAlhayek]

Describe the bug

I am not sure if this is an issue or just a misuse. I run the main branch locally. I created a site using the blank recipe called sso and enabled the OpenId server feature. added email and profile scopes, then create a test application.

Created another tenant locally called ssoblog using the blog recipe`. I enabled the OpenId Client feature and configured the client using the info I used to create the app with:

When I went to https://localhost:44300/ssoblog/Login, and clicked on the "Local SSO" button. I get the following error

InvalidOperationException: Endpoint OrchardCore.OpenId.Controllers.AccessController.Authorize (OrchardCore.OpenId) contains CORS metadata, but a middleware was not found that supports CORS.
Configure your application startup by adding app.UseCors() in the application startup code. If there are calls to app.UseRouting() and app.UseEndpoints(...), the call to app.UseCors() must go between them.

@kevinchalet I know we have updated OpenIdDict multiple times lately, if this a issue or am I doing something wrong during the setup? I have a feeling because I am doing this locally I may have to enable cors feature but want to make sure there isn't a real issue that we should worry about before I mess around with CORS.

[MikeAlhayek]

enabling the Cors feature "without creating CORS profile" fixed the issue. If Core feature is now required, we should add that feature as a dependency to the feature that requires it.

[kevinchalet]

@kevinchalet I know we have updated OpenIdDict multiple times lately, if this a issue or am I doing something wrong during the setup? I have a feeling because I am doing this locally I may have to enable cors feature but want to make sure there isn't a real issue that we should worry about before I mess around with CORS.

Arf fuck, I recently added the [DisableCors] attributes and this obviously caused a regression (which is stupid: why do we need to register the CORS middleware to disable CORS? 🤣)

Adding the dependency is probably a good idea. Alternatively, we could set RouteOptions.SuppressCheckForUnhandledSecurityMetadata to disable the check.

[MikeAlhayek]

@kevinchalet would you mind submitting a PR to fix this? Maybe also upgrade the OpenIDDict project "I think you recently had a new release". I am tagging this issue with 2.0 milestone to ensure this is fixed before the release

[github-actions]

We triaged this issue and set the milestone according to the priority we think is appropriate (see the docs on how we triage and prioritize issues).

This indicates when the core team may start working on it. However, if you'd like to contribute, we'd warmly welcome you to do that anytime. See our guide on contributions here.

[MikeAlhayek]

@kevinchalet using SuppressCheckForUnhandledSecurityMetadata will give us a small performance since we skip checking for a security metadata.

[MikeAlhayek]

I want to ensure this issue is fixed quick so I submitted a PR using the SuppressCheckForUnhandledSecurityMetadata which fixes the issue and give us a slight performance advantage.