🔧 Datavere Web Api: how to setup CORS? NO ANSWER YET...

You cannot control CORS or response headers in Dataverse. I'm searching for answers...

MS claim here that:

The server-side part has been done for you and all you need is to know how to consume it

Basically it means you have no control whatsoever.

To note that on make.powerpages.microsoft.com you can tweak some settings for the Power Pages portal, in particular in Security (New) -> Advanced settings (preview) -> Cross Origin Recource Sharing (CORS) tab, but that bit is controlling when you send requests to your portal url, not dataverse url so this is useless.

Why you may need to setup CORS?

For example, when requesting a dataverse token with MSAL with wrong scope:

• I tried scopes: ["api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/dcff9c41-001a-4a07-a51f-3a71aa6e793c/user_impersonation"] instead of scopes: ["your-dataverse.api.crm.dynamics.com/user_impersonation"], the error details are sitting in the header instead of the response body.

I get this error as en example:

GET https://your-dataverse.api.crm.dynamics.com/api/data/v9.2/WhoAmI 401 (Unauthorized) with empty Response.

Actual error description is sitting in the Response Header 401_error_reason

IDX10214: Audience validation failed. Audiences: 'api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/dcff9c41-001a-4a07-a51f-3a71aa6e793c'. Did not match: validationParameters.ValidAudience: 'null' or validationParameters.ValidAudiences: [REDACTED]

And Response's access-control-expose-headers: includes only Preference-Applied,OData-EntityId,Location,ETag,OData-Version,Content-Encoding,Transfer-Encoding,Content-Length,Retry-After,REQ_ID, so I cannot get a message from 401_error_reason since this is not exposed.

On the contrary, that is what you get if you send a wrong query to the proper scope your-dataverse.api.crm.dynamics.com/user_impersonation:

GET https://your-dataverse.api.crm.dynamics.com/api/data/v9.2/WhoAmI_wrong 404 (Not Found)

And the error description is returned in the response:

{
    "error": {
        "code": "0x80060888",
        "message": "Resource not found for the segment 'WhoAmI_wrong'."
    }
}

The post will be updated if I find how to control CORS on Dataverse...