Menu
I have a back end application that is protected with the OAuth 2 authorization code flow. The front end (javascript in browser) hits an authorization endpoint on the back end, the back end redirects the browser to an authorization code server, the user authenticates and then the authorization server redirects the browser back to the back end with an authorization code which the back end redeems for a token to access some services.
The problem is that these redirects all happen in succession and CORS in the browser is preventing the exchange. What do the servers need to do as far as CORS to make this flow work?
browser -> POST app.com/auth
307 auth.com/auth?redirect=app.com/auth <-
browser -> POST auth.com/auth?redirect=app.com/auth (with authorization header)
307 app.com/auth?authcode=fubar <-
browser -> POST app.com/auth?authcode=fubar
Is roughly how it is supposed to go.
EDIT: Browser says
XMLHttpRequest cannot load http://app.com/autho. The request was redirected to 'http://autho.com/auth?response_type=code&redirect_uri=http://app.com/autho&state=639bfbe7-fd20-4c04-8feb-c9f60f4d55a9&client_id=0xdeadbeef', which is disallowed for cross-origin requests that require preflight.
EDIT2: So the redirect works fine without the Authorization header. Guess that data is going in the body for now.
556
The OAuth 2.0 authorization code grant type, or auth code flow, enables a client application to obtain authorized access to protected resources like web APIs. The auth code flow requires a user-agent that supports redirection from the authorization server (the Microsoft identity platform) back to your application.
The user clicks a login link in the application and enters credentials into a form managed by the app. The application stores the credentials, and passes them to the OAuth authorization server. The authorization server validates credentials and returns the Access Token (and an optional Refresh Token).
How Does OAuth 2.0 Work? At the most basic level, before OAuth 2.0 can be used, the Client must acquire its own credentials, a client id and client secret, from the Authorization Server in order to identify and authenticate itself when requesting an Access Token.
The thing that seems incorrect to me here is that you're trying to use a redirection protocol flow from JavaScript.
Normally, your browser gets redirected to the authorization server and upon successful authentication, the browser is redirected back to the application with an auth-code or access token (depending on which flow is used).
In that case, you are not talking to the authorization server from JavaScript, so cross origin considerations do not come into play.
If you want to use OAuth2 from a JavaScript client, I suggest you look at the implicit grant, which is a redirection flow designed for untrusted clients like JavaScript applications.
98
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
