Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
rfc6749 + CORS + OAuth
See original GitHub issueMy token’s provider doesn’t support CORS, and he argues with sentence from rfc6749 The client MUST use the HTTP "POST" method when making access token
In other hands, it is difficult for me to understand how to use swagger UI without CORS & different domains
So… did I miss something? Did I use swagger in wrong way? My understanding of OAuth is wrong… or my token’s provider has weak argument? Thank you for any comments, whole my swagger setup will be useless without authorization.
Issue Analytics
- State:
- Created 5 years ago
- Comments:10 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@micjaesc, it seems to me that your token provider is wrong.
CORS is an additional browser security mechanism that exists outside of OAuth’s request flow.
When Swagger UI (or any web application) wants to talk to a cross-domain server, the user’s browser puts that request on hold and sends out a preflight request that asks the server for security rules about what web pages are allowed to send requests to it - that’s the OPTIONS request that you’re seeing.
Once the OPTIONS request is handled correctly (sending back 200 OK and setting the correct
Access-Controlresponse headers), the browser will allow the OAuth POST request to proceed.Doing so doesn’t break OAuth’s rules - the POST request is there as it should be, it’s just that the token server needs to do more since browser security rules are involved.
I just run to the same issue today. @shockey, the token provider is not wrong, it seems to me they are totally right. See, the application flow is not intended to be used from browser, and the token provider is actually fully compatible with the RFC. What is wrong here is that the swagger is making the request from the browser, but that request never intended to be done from browser, it had to be done from the backend. So, to correctly support OAuth2 application flow in swagger, the frontend part need to make a all to the backend handler, which on its turn should initiate a call to the token provider. Apart from the CORS, there are other use cases as well, which would not work: for example, if the token provider is accessible from the server that hosts the application/API, but is not accessible from the client machine that runs the browser (but, of course, the backend server is accessible from the client machine). This is either bug or a design issue, and should be fixed.