Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change to Code Auth Flow, No CORS Header #6

Closed
rwrobe opened this issue Aug 31, 2016 · 1 comment
Closed

Change to Code Auth Flow, No CORS Header #6

rwrobe opened this issue Aug 31, 2016 · 1 comment

Comments

@rwrobe
Copy link

rwrobe commented Aug 31, 2016

I've modified the OD_Auth script to use the code authentication flow described here, but am getting a CORS header missing error:

XMLHttpRequest cannot load https://login.live.com/oauth20_token.srf. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

This is my auth callback:

var onAuthCallback = function () {
        var auth_code = getAuthInfoFromUrl(),
            appInfo = getAppInfo(),
            url = 'https://login.live.com/oauth20_token.srf',
            params = 'client_id='
                     + appInfo.clientId
                     + '&redirect_uri='
                     + appInfo.redirect_uri
                     + '&client_secret='
                     + appInfo.clientSecret
                     + '&code='
                     + auth_code
                     + '&grant_type=authorization_code',
            method = 'POST',
            xhr = createCORSRequest( method, url );

        xhr.setRequestHeader( "Access-Control-Allow-Origin", appInfo.base_uri );
        xhr.setRequestHeader( "Content-type", "application/x-www-form-urlencoded" );

        xhr.onload = function () {
            console.log( xhr.responseText );
        };

        xhr.onerror = function () {
            // Error code goes here.
        };

        xhr.send( params );
    };

var createCORSRequest = function ( method, url ) {

        var xhr = new XMLHttpRequest();

        if ( "withCredentials" in xhr ) {
            // Most browsers.
            xhr.open( method, url, true );
        } else if ( typeof XDomainRequest != "undefined" ) {
            // IE8 & IE9
            xhr = new XDomainRequest();
            xhr.open( method, url );
        } else {
            // CORS not supported.
            xhr = null;
        }

        return xhr;

    };

Am I missing something?
@rgregg
Copy link
Contributor

rgregg commented Feb 6, 2017

Code flow isn't available for single page JavaScript apps. Token flow is required in that scenario. The token endpoint doesn't support CORS to enforce this.

You can still receive a new access_token by using a hidden IFRAME to renew the access_token from a single page app. There are more details about that here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-implicit#refreshing-tokens

@rgregg rgregg closed this as completed Feb 6, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rgregg @rwrobe