I have an application on the back panel that is protected by the OAuth 2 authorization code code. The front part (javascript in the browser) goes to the authorization end point on the back panel, the back redirects the browser to the authorization code server, the user authenticates, and then the authorization server redirects the browser back to the back end with an authorization code, which the back end gives access to some services for the token.
The problem is that all these redirects occur sequentially, and CORS in the browser prevents the exchange. What do servers need for CORS to make this thread work?
browser -> POST app.com/auth
app.com -> 307 auth.com/auth?redirect=app.com/auth
browser -> POST auth.com/auth?redirect=app.com/auth (with authorization header)
auth.com -> 307 app.com/auth?authcode=fubar
browser -> POST app.com/auth?authcode=fubar
About how it should be.
EDIT: Browser says
XMLHttpRequest cannot load http://app.com/autho . the request was redirected to ' http://autho.com/auth?response_type=code&redirect_uri=http://app.com/autho&state=639bfbe7-fd20-4c04-8feb-c9f60f4d55a9&client_id=0xdeadbeef ', which is forbidden for requests with cross origin requiring preflight protection.
EDIT2: So redirecting works fine without a header Authorization. Guess what the data is now in the body.
source
share