DEV Community

Andrew Elans
Andrew Elans

Posted on • Edited on

Dataverse Web Api: how to setup CORS? NO ANSWER YET...

#dataverse

You cannot control CORS or response headers in Dataverse. I'm searching for answers...

MS claim here that:

The server-side part has been done for you and all you need is to know how to consume it

Basically it means you have no control whatsoever.

To note that on make.powerpages.microsoft.com you can tweak some settings for the Power Pages portal, in particular in Security (New) -> Advanced settings (preview) -> Cross Origin Recource Sharing (CORS) tab, but that bit is controlling when you send requests to your portal url, not dataverse url so this is useless.

Why you may need to setup CORS?

For example, when requesting a dataverse token with MSAL with wrong scope:

  • I tried scopes: ["api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/dcff9c41-001a-4a07-a51f-3a71aa6e793c/user_impersonation"] instead of scopes: ["your-dataverse.api.crm.dynamics.com/user_impersonation"], the error details are sitting in the header instead of the response body.

I get this error as en example:

GET https://your-dataverse.api.crm.dynamics.com/api/data/v9.2/WhoAmI 401 (Unauthorized) with empty Response.

Actual error description is sitting in the Response Header 401_error_reason

IDX10214: Audience validation failed. Audiences: 'api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/dcff9c41-001a-4a07-a51f-3a71aa6e793c'. Did not match: validationParameters.ValidAudience: 'null' or validationParameters.ValidAudiences: [REDACTED]

And Response's access-control-expose-headers: includes only Preference-Applied,OData-EntityId,Location,ETag,OData-Version,Content-Encoding,Transfer-Encoding,Content-Length,Retry-After,REQ_ID, so I cannot get a message from 401_error_reason since this is not exposed.

On the contrary, that is what you get if you send a wrong query to the proper scope your-dataverse.api.crm.dynamics.com/user_impersonation:

GET https://your-dataverse.api.crm.dynamics.com/api/data/v9.2/WhoAmI_wrong 404 (Not Found)

And the error description is returned in the response:

{
    "error": {
        "code": "0x80060888",
        "message": "Resource not found for the segment 'WhoAmI_wrong'."
    }
}
Enter fullscreen mode Exit fullscreen mode

The post will be updated if I find how to control CORS on Dataverse...

Top comments (0)

Read next

myjeong19 profile image

A utility for automatically generating files that follow the Next.js App Router structure based on folder name patterns.

Min-Yeong Jeong -

balajikandavel profile image

Step-by-Step Guide: Setting Up MCP Locally with LLMs Using TypeScript

balaji thadagam kandavel -

abinesh_rajendran64 profile image

Push Notification implementation Suggestion needed!!

Abinesh Rajendran -

xwero profile image

Move from DDD Laravel make command to Codestarter (fase 2)

david duymelinck -