Azure - Website calling API - The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed

azure function call external api
.net core web api azure ad authentication
how to call web api in asp.net c#
web api azure active directory authentication
azure rest api authentication example
azure protected web api
azure logic app call web api
azure portal

I have a website in Azure that is calling an API (also in Azure).

When I published the website and the API, and tried them a few times, I could GET data, but not POST or DELETE. It was saying something that 'Access-Control-Allow-Origin' header was not set.

So I started fiddle with the CORS (I already had in the controller

[EnableCors(origins: "*", headers: "*", methods: "GET")]

, and in WebApiConfig

var cors = new EnableCorsAttribute("*", "*", "*"); config.EnableCors(cors);

according to this documentation, which used to work when I was running the services locally https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api )

Now, after nothing worked and I reversed to the original state (when GET was working), I keep getting this errors in the console in Chrome:

The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.

and this in Firefox:

Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘(null)’

I do not have access to .htaccess . I checked if I have other CORS related code in the services I mentioned and from what I can tell, it's only the stuff described above. I also tried to comment the code above and the errors still remain the same.

Do you have a try to config it on the Azure Portal? If not, please have a try to config it on your Azure WebAPI site. More details please refer to the screenshot. We also can get the related info from the Azure official document.

Build a web app that calls web APIs, Learn how to build a web app that signs users in to the Microsoft identity platform, and then calls web APIs on behalf of the signed-in user. Creating Voice Calling Applications Has Never Been Easier- Try it Free!

I was experiencing exactly this same error but in my case the solution was in removing from the web.config these lines to fix it.

<httpProtocol>
 <customHeaders>
   <add name="Access-Control-Allow-Origin" value="*" />
 </customHeaders>
</httpProtocol>

Deploy and call web APIs & REST APIs from Azure Logic Apps , Before you can call your custom API from a logic app, deploy your API as a web app or API app to Azure App Service. Also, to make your  You can use the same principle to call any web API. Most Azure web APIs provide an SDK that simplifies calling the API. This is also true of Microsoft Graph. In the next article, you'll learn where to find a tutorial that illustrates API use.

I left only config.EnableCors(); in App_Start/WebApiConfig.cs.

And used [EnableCors(origins: "*", headers: "*", methods: "*")] in the controllers.

Note: after everything worked out, I changed the "origins" from "*" to the address of the website that uses the API.

Here's another guide I found useful: http://www.c-sharpcorner.com/article/fix-to-no-access-control-allow-origin-header-is-present-or-w/

Calling a web API in a web app using Azure AD and OpenID , This sample shows how to build an MVC web application that uses Azure AD for sign-in using the OpenID Connect protocol. You add authentication to your web app so that it can sign users in and call a web API on behalf of the signed-in user. Web apps that call web APIs are confidential client applications. That's why they register a secret (an application password or certificate) with Azure Active Directory (Azure AD). This secret is passed in during the call to Azure AD to get a token. Specifics

Build a web API that calls web APIs, The protected web API validates the token and uses the Microsoft Authentication Library (MSAL) AcquireTokenOnBehalfOf method to request  This sample shows how to build an MVC web application that uses Azure AD for sign-in using the OpenID Connect protocol, and then calls a web API under the signed-in user's identity using tokens obtained via OAuth 2.0. This sample uses the OpenID Connect ASP.Net OWIN middleware and ADAL .Net.

Tutorial: Host RESTful API with CORS, Learn how Azure App Service helps you host your RESTful APIs with CORS support. App Service can host both front-end web apps and back  It seems you want to call API inside your azure function here is the code sample for your understanding: In this Function I supplied a MPN number as Input which valid from a 3rd party API and return true and false in response.

Get a token in a web app that calls web APIs, To get this token, you call the MSAL AcquireTokenSilent method (or the equivalent in Microsoft.Identity.Web). Call the protected API, passing  To call a protected web API from an application, you need to grant your application permissions to the API. In the prerequisite tutorial, you created a web application in Azure AD B2C named webapp1. You use this application to call the web API. App registrations (Preview) Select Applications, and then select the web application that should have

Comments
  • Try only one "*" in the EnableCorsAttribute?
  • Do you have any update?
  • @TomSun-MSFT I left only config.EnableCors(); in App_Start/WebApiConfig.cs and used [EnableCors(origins: "*", headers: "*", methods: "*")] in the controllers (after everything worked out, I changed the "origins" from "*" to the address of the website that uses the API). Here's another guide I found useful: c-sharpcorner.com/article/…
  • I am glad you have worked it out . Do you have a try just set it from azure portal? Base on my experence, it will also work.
  • If you add your soluation to answer that will help more communities.
  • Thanks, didn't realize this was overriding settings from in the app. Odd behavior when this isn't enabled in the portal but configurations are otherwise valid in the app.