• boettr

    Hi Mat,

    I found this blog entry when I was already a fair way down the path of producing the same content. I have compared our code and procedure and they appear to be identical but I am stuck!

    my request to web API is passing the Authorization: Bearer cookie on request but I am receiving a 401 and the following error “Authorization has been denied for this request”.

    Any ideas on what might be causing this issue? It doesn’t appear to be CORS related since if I disable authorisation attribute it goes through just fine.

    Any help would be greatly appreciated.


    • Hey Robert,

      Some questions to help investigating the problem:

      1-If you run fiddler, does the 401 come after the OPTIONS request (the preflight) or the GET request after that? Does it ever send a OPTIONS request first?

      2-Are you running your solution locally while the web api is on internet? More specifically, if you run on IE and your code crosses zones (intranet to internet) then CORS gets blocked by default

      3-Is the web api hosted on azure or somewhere else? Is it behind some kind of reverse proxy? You could have that blocking and responding with 401 before your code has a chance of dealing with that request

      • boettr

        Hi Mat,

        Thanks for your response. In answer to your questions.

        1. Yes the 401 comes after the options request
        2/3. Both are running in Azure

        I tried running the solution locally and put in place a custom authorization attribute so I could debug pause and it is definitely making it that far!

        • Ok, so take a look at the readme here: https://github.com/matvelloso/AngularJSCORS

          Getting a 401 out of an options request is unlikely so very few things could be causing it:
          1-Make sure you did NOT enable the authentication button at the azure website (number 2 in the “things you should NOT do” in my readme). That will definitely throw you into an error with the options request
          2-Make sure you did install the nuget package for CORS on your web api and properly set the attributes like I did in my code
          3-Make sure you are NOT using wildcards (*) as the allowed origins. You have to be specific about which origins you allow and they have to match the source site
          4-Make sure the origin does NOT end with a “/”

          From your description my guess is that the web api is not correctly configured for CORS so it’s refusing the options request as something there isn’t matching what it expects.

  • Michael

    Hi Mat,

    I’m stuck also with the 401 Authentication Error. I have a .NET backend WebApi and want to use it with my Angular site.

    I have made a Windows Forms application to connect, and this works good with the Azure Active Directory.

    With the Angular App, I can login in the Azure AD. I receive a token. I can see the API call is made with a GET function. The bearer authorisation header is filled with the token. Unfortunately I get a 401 error everytime.

    In Azure in the application for the client, i have enable the oauth passthrough in the manifest, and gave permission to connect to my server application. Do you have any suggestion what else I can do to make it work?

    • Hi Michael,

      If authentication works, preflight works and you see the actual get request being sent to your web api, but bouncing with a 401 then I will assume that the web api doesn’t like something about this token. Likely a common cause will be the audience. Whatever audience you have set on your javascript client doesn’t match the audience the web api expects. In this presentation https://mix.office.com/watch/hz3p9nw4aeur I talk about it right at the end, scenario 13.