Jeroen | 2017-11-28 10:44:00 UTC | #1
Hello,
I'd like to show some data in a browser a normal user would normally not have access to like IVR schedules and phone numbers. As there doesn't seem to be a read / view only permission for that data I need I thought to add a middleware that requests an accessToken using the Client Credentials Grant and use that token to request the data. The middleware is located on the same server / same domain, but I still get CORS notification (testing this with localhost works).
The flow: Browser (javascript SDK) => ajax request to PHP script => get accessToken with client credentials => return accessToken to javascript, Use it to authenticate => CORS error
Any other workaround anyone came up with?
Thanks, Jeroen
Dariusz | 2017-11-28 20:58:41 UTC | #2
Hi, you can perform the API call in your PHP script (after authentication) and then return results to the browser. I think that from the security point of view it isn't a good idea to return to the user's browser the token with wider rights than assigned to the user.
Jeroen | 2017-11-29 09:31:54 UTC | #3
Yes, I could do that, unfortunately I have to change my setup for this.
I know it's not ideal, but I do not see how else I could make the information available in a read-only way for non-admins. I want to make the schedules, phone numbers and routing available to supervisors without the need to keep a separate document with that info. The access rights are all or nothing and no possibility to set it read or view only.
tim.smith | 2017-11-29 15:37:02 UTC | #4
The CORS error here is by design. Client Credentials grants are not intended to be used from a browser, and therefore do not have a redirect URI configuration. Without a redirect URI config, it is not possible for the API service to set CORS headers on the responses. Thus, you cannot use a client credentials auth token in a browser.
If you must use client credentials to access the data, you must build a middleware service that your web app makes requests to. The middleware service will be responsible for using client credentials to authenticate, then make any requests necessary to fulfil the request made by the web client. This way your middleware service is returning data, not auth tokens.
system | 2017-12-30 15:37:20 UTC | #5
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 2155