No 'Access-Control-Allow-Origin' header is present on the requested resource

Dariusz · July 12, 2016, 2:25pm

Hi,

Using a following code:

    var pureCloudSession = purecloud.platform.PureCloudSession({
      strategy: 'client-credentials',
      environment: 'mypurecloud.ie',
      clientId: '***',
      clientSecret: '***'
    });      

    pureCloudSession.login().then(function(){
      console.debug('I am a lucky man!');
    });

I get an error below:
XMLHttpRequest cannot load https://login.mypurecloud.ie/token. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9000' is therefore not allowed access. The response had HTTP status code 400.

Not sure does it matter here but the code is embedded in Angular controller.

Do I have to modify the SDK code and add the Access-Control-Allow-Origin header to the login request or is there any other way to solve this problem?

Pls advice. Thanks!

tim.smith · July 12, 2016, 3:23pm

I believe this is an issue with the auth service. If you look at the actual request/response, it's returning a 400 on the preflight OPTIONS request, which is causing the request to completely fail. I'm investigating.

In the meantime, you can use the implicit grant and it will work fine. This is more appropriate for a browser application anyway. Client credentials are for non-user applications. The client secret is essentially a password, so putting it in javascript code in a web page is like hardcoding a password in a public application - a very bad practice.

tim.smith · July 12, 2016, 3:27pm

Posted just too soon. Checked with the auth service team and this is working as intended for exactly the reason I advised against using client credentials in a browser; there's no secure way to provide client credentials in a browser application, so the auth service prevents it from working by not responding to OPTIONS requests.

The client credentials option is in the JavaScript SDK because the SDK is built for both node.js and browsers. When used in a browser, the client credentials login won't work. When used in node, the implicit grant won't work.

Dariusz · July 12, 2016, 3:40pm

Hi Tim, Thanks for your quick response. Yes, I am aware of risk by using client secret but I just wanted to prepare a demo web-page for presentation which registers callbacks in Dialer. Nothing for a live system. In this scenario a web-page visitor doesn't have a user credentials for PC. So the solution is to move this logic to the server code.

Dariusz · July 12, 2016, 5:11pm

I confirm, it works fine in node.js.

system · August 28, 2017, 7:25pm