sszhupku | 2019-07-24 01:09:58 UTC | #1
Issues:
When we follow the code tutorial on authorization code grant, and redirect to the oauth/authorize in our server code. Sometimes b/c our redirect request is a preflight request, the request method is OPTION However, OPTION is not an allowed method in this endpoint.
It only works on initial page load where in the redirect, request method is GET (since GET is an allowed method for this endpoint)
According to this doc https://developer.mozilla.org/en-US/docs/Web/HTTP/Server-Side_Access_Control
It's typical to send an OPTION method in a preflight request (where client had some headers set due to application logic, it is considered as preflight request)
It would be nice if the purecloud oauth/authorize endpoint can support OPTION method
tim.smith | 2019-07-24 14:08:48 UTC | #2
Preflight requests are specifically used for CORS, and CORS is only used for browsers. Because the auth code grant is only acceptable for back-end services (non-browser apps), it does not allow preflight requests. If you're trying to authorize a browser app, you need to use the implicit grant.
sszhupku | 2019-07-24 17:13:47 UTC | #3
I follow the instruction for authorization code grant in node server In the example code, line 25
res.redirect(redirectUri);
is a result of browser request of line 16:
f((req.cookies && !(req.cookies.session && sessionMap[req.cookies.session])) &&
Then in browser network tab, we can see the redirect url shown, immediately following the first request with missing token(req in line 16).
In our use case, the req in line 16 is treated as preflight request by chrome browser since we have specific custom headers so it is not a simple request.
Are you suggesting that the request in line16 is not coming from a browser app but rather from another backend service? That doesn't make too much sense since it is checking the cookie.
Code Source: https://developer.mypurecloud.com/api/tutorials/oauth-auth-code/?language=nodejs&step=1
tim.smith | 2019-07-25 14:34:18 UTC | #4
I just ran that tutorial without making any code changes and it works correctly. I'm not sure what you're doing in your app, but a redirect shouldn't ever cause the browser to make an OPTIONS request. An OPTIONS request would only be made if your app is making an AJAX request, which is not part of how a browser handles a redirect when loading a page.
sszhupku | 2019-07-27 00:23:03 UTC | #5
sszhupku, post:1, topic:5620
header
The tutorial is only doing one ajax request
I created another example, the second call triggers the OPTION http method here:
https://github.com/MyPureCloud/developercenter-tutorials/pull/20/files#diff-0a423a51b385b440a6c8df7510530495R107
The use case is very common. Say if a token expires in the server, and when browser sends a '/GET' request and server will need to refetch the token and update it.
Current authorization code grant api won't allow this way b/c lack of support for OPTION, so browser has to do a hard refresh of the page.
system | 2019-08-27 00:23:07 UTC | #6
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 5620