The problem is that these redirects all happen in succession and CORS in the browser is preventing the exchange. What do the servers need to do as far as CORS to make this flow work?
browser -> POST app.com/auth 307 auth.com/auth?redirect=app.com/auth <- browser -> POST auth.com/auth?redirect=app.com/auth (with authorization header) 307 app.com/auth?authcode=fubar <- browser -> POST app.com/auth?authcode=fubar
Is roughly how it is supposed to go.
EDIT: Browser says
XMLHttpRequest cannot load http://app.com/autho. The request was redirected to 'http://autho.com/auth?response_type=code&redirect_uri=http://app.com/autho&state=639bfbe7-fd20-4c04-8feb-c9f60f4d55a9&client_id=0xdeadbeef', which is disallowed for cross-origin requests that require preflight.
EDIT2: So the redirect works fine without the
Authorization header. Guess that data is going in the body for now.
Normally, your browser gets redirected to the authorization server and upon successful authentication, the browser is redirected back to the application with an auth-code or access token (depending on which flow is used).
User contributions licensed under CC BY-SA 3.0