question

erossini avatar image
0 Votes"
erossini asked erossini answered

R API using Plumber under Azure API Management CORS error

I'm trying to create some APIs in R with Plumber. I have managed to publish the API on a server and I can access them via browser: Swagger is exposed without any authentication. The code is

 # api.R
    
 #* Echo back the input
 #* @param msg The message to echo
 #* @get /echo
 function(msg="") {
   list(msg = paste0("The message is: '", msg, "'"))
 }
    
 #* Plot a histogram
 #* @serializer png
 #* @get /plot
 function() {
   rand <- rnorm(100)
   hist(rand)
 }
    
 #* Return the sum of two numbers
 #* @param a The first number to add
 #* @param b The second number to add
 #* @post /sum
 function(a, b) {
   as.numeric(a) + as.numeric(b)
 }
    
 #* @filter cors
 cors <- function(res) {
     res$setHeader("Access-Control-Allow-Origin", "*")
     plumber::forward()
 }

and they are working.

aYiPd.png

I want to protect them and I think to use Azure API Management service. I have created the service and added the APIs using the Swagger document. Also, I added CORS in the Inbound processing.

wzKrI.png

In Settings I didn't change anything although I should use OpenID connect.

VJzeB.png

There is a simple api /echo that requires msg as parameter. If I run the test for this api, I receive 400 Bad Request.

zjoZg.png

In the Trace I have this error for 3 times:

cors (0.020 ms) "Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied."

I can't find what the error is about. Also, I Enable CORS in the Developer Portal although I think it is totally unrelated.

What did I do wrong? What is the correct configuration?




azure-api-management
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @erossini

Could you post the info under the Trace tab? Have you tried simulating a CORS request in Postman instead of Azure Portal? Generally speaking, If the end goal is to protect the backend API with minimal effort, I would look to implement IP based restrictions, and whitelist the IP address from your APIM: IP addresses of Azure API Management, and then move on to setting up the OpenID Connect part of the configuration.

CORS is only specific to async requests sent from browsers so the setting on Dev Portal is irrelevant as the session you initiated occurred outside of it.


0 Votes 0 ·

1 Answer

erossini avatar image
0 Votes"
erossini answered

Thank you for your reply. I found the issue; it was in the firewall configuration. I have a different problem now.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@erossini That's great! I'll review the problem described in your other thread and post an answer soon. In the meantime. please consider posting an answer and marking it as the accepted answer here so that it may benefit & help others visiting this thread in the future :)

0 Votes 0 ·