CORS error when posting to /oauth2/token

Reply to CORS error when posting to /oauth2/token on Tue, 05 Oct 2021 05:37:03 GMT

germyrinn — Tue, 05 Oct 2021 05:37:03 GMT

@pleymor said in CORS error when posting to /oauth2/token:

Access to XMLHttpRequest at ... has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

The Same Origin Policy (SOP) is a security measure standardized among browsers. It is needed to prevent Cross-Site Request Forgery (CSRF). The "Origin" mostly refers to a "Domain". Same Origin Policy prevents different origins (domains) from interacting with each other, to prevent attacks such as CSRF (Cross Site Request Forgery) through such requests, like AJAX. In other words, the browser would not allow any site to make a request to any other site. Without Same Origin Policy , any web page would be able to access the DOM of other pages.

This SOP (Same Origin Policy) exists because it is too easy to inject a link to a javascript file that is on a different domain. This is actually a security risk ; you really only want code that comes from the site you are on to execute and not just any code that is out there.

If you want to bypass that restriction when fetching the contents with fetch API or XMLHttpRequest in javascript, you can use a proxy server so that it sets the header Access-Control-Allow-Origin to *.

If you need to enable CORS on the server in case of localhost, you need to have the following on request header.

Access-Control-Allow-Origin: http://localhost:9999

Reply to CORS error when posting to /oauth2/token on Fri, 21 May 2021 14:20:46 GMT

yehoudaB — Fri, 21 May 2021 14:20:46 GMT

@IzioDev thanks a lot !!!!
I have been looking for 2 weeks for the right way to implement it

Reply to CORS error when posting to /oauth2/token on Thu, 11 Mar 2021 13:41:35 GMT

IzioDev — Thu, 11 Mar 2021 13:41:35 GMT

In my case I fixed it by adding CORS headers to my reverse-proxy (traefik v2). Here's how :

version: "3.7"

services:
  # Traefik
  reverse-proxy:
    labels:
      traefik.http.middlewares.corsheaders.headers.accesscontrolalloworigin: "*"
      traefik.http.middlewares.corsheaders.headers.accesscontrolallowheaders: "*"

  # Nest
  api:
    labels:
      - traefik.http.routers.api.middlewares=corsheaders

This allow all origin and all headers (this isn't secured but this works for development use).

Reply to CORS error when posting to /oauth2/token on Thu, 25 Feb 2021 16:26:19 GMT

dan — Thu, 25 Feb 2021 16:26:19 GMT

Glad you solved it!

Reply to CORS error when posting to /oauth2/token on Wed, 24 Feb 2021 08:49:31 GMT

pleymor — Wed, 24 Feb 2021 08:49:31 GMT

Hello @dan,

Thanks a lot for your fast reaction!

I'm using FusionAuth 1.24.0, and yes there is a reverse proxy to reach it.

It was the same with several browsers.

Thank you, the solution was what you suggested

We manually added the header "Access-Control-Allow-Origin": window.location.origin in our call to /oauth2/token, and it worked

Reply to CORS error when posting to /oauth2/token on Tue, 23 Feb 2021 22:40:34 GMT

dan — Tue, 23 Feb 2021 22:40:34 GMT

Hiya @adrien-laugueux ,

Really appreciate all the detail in this forum post. A few more questions:

What version of FusionAuth are you using?
Are you proxying access to auth.southpigalle.io or is does that request go directly to FusionAuth?
Does this issue happen with browsers other than Chrome?
What do the token endpoint headers look like? Are there any access-control* headers sent?