'Rails 6 CORS issue when accessing azure AD

I am trying to implement devise/oauth to azure AD with steps from this article.

https://medium.com/committed-engineers/setup-azure-ad-oauth-2-0-with-ruby-on-rails-and-devise-39848e3ed532

It looks that gem is working, I get link to login.microsoft.com with params, which is sent by post method, but I get CORS error

Access to fetch at 'https://login.microsoftonline.com/xxxxxx/oauth2/v2.0/authorize?client_id=zzzz&prompt&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fusers%2Fauth%2Fazure_activedirectory_v2%2Fcallback&response_type=code&scope=openid+profile+email&state=xxxxx' (redirected from 'http://localhost:3000/users/auth/azure_activedirectory_v2') from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

When I check network in console, I see that headers looks fine

> Request URL: http://localhost:3000/users/auth/azure_activedirectory_v2
> Request Method: POST Status Code: 302 Found Remote Address: [::1]:3000
> Referrer Policy: strict-origin-when-cross-origin
> Access-Control-Allow-Credentials: true Access-Control-Allow-Methods:
> GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
> Access-Control-Allow-Origin: http://localhost:3000
> Access-Control-Expose-Headers Access-Control-Max-Age: 7200
> Cache-Control: no-cache Content-Length: 361 Location:
> https://login.microsoftonline.com/xxxx

I use rack-cors gem with this config in cors.rb

Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins 'http://localhost:3000'

    resource '*',
      headers: :any,
      methods: :any,
      credentials: true
    
  end
end

Rails.application.config.hosts << ".microsoft.com"

What am I missing? When I manually open location of that post request I see in console, I get login screen for microsoft account what is expected

edit: When I enable debug in cors.rb, I see that just to my post request there is no header

Incoming Headers:
  Origin: http://localhost:3000
  Path-Info: /mini-profiler-resources/results
  Access-Control-Request-Method: 
  Access-Control-Request-Headers: 
{"Access-Control-Allow-Origin"=>"http://localhost:3000", "Access-Control-Allow-Methods"=>"GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS", "Access-Control-Expose-Headers"=>"", "Access-Control-Max-Age"=>"7200", "Access-Control-Allow-Credentials"=>"true"}
Incoming Headers:
  Origin: http://localhost:3000
  Path-Info: /mini-profiler-resources/results
  Access-Control-Request-Method: 
  Access-Control-Request-Headers: 
{"Access-Control-Allow-Origin"=>"http://localhost:3000", "Access-Control-Allow-Methods"=>"GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS", "Access-Control-Expose-Headers"=>"", "Access-Control-Max-Age"=>"7200", "Access-Control-Allow-Credentials"=>"true"}
Incoming Headers:
  Origin: http://localhost:3000
  Path-Info: /mini-profiler-resources/results
  Access-Control-Request-Method: 
  Access-Control-Request-Headers: 
{"Access-Control-Allow-Origin"=>"http://localhost:3000", "Access-Control-Allow-Methods"=>"GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS", "Access-Control-Expose-Headers"=>"", "Access-Control-Max-Age"=>"7200", "Access-Control-Allow-Credentials"=>"true"}
Incoming Headers:
  Origin: http://localhost:3000
  Path-Info: /users/auth/azure_activedirectory_v2
  Access-Control-Request-Method: 
  Access-Control-Request-Headers:
ruby-on-railsazure-active-directorycorsruby-on-rails-6


Solution 1:[1]

ok for everybody who will spend lot of time trying to find a problem

https://accidentaltechnologist.com/ruby-on-rails/hotwire-fix-for-cors-error-when-using-omniauth/

Actually, only thing needs to be done is change link_to to button_to helper and disable turbo for it, so add data-turbo false

this is how it should look and all works well, I can authenticate with AD

 <%= button_to "Log in with Azure AD", user_azure_activedirectory_v2_omniauth_authorize_path, method: :post, data: {turbo: "false"}, class: "btn btn-primary" %>

Solution 2:[2]

The short solution is to add data: {turbo: "false"} to the link to trigger the OAuth request.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Mi Ro
Solution 2 Thomas Van Holder

Related Questions