search

esi / esi-issues

Issue tracking and feature requests for ESI
https://esi.evetech.net/
209 stars 23 forks source link

Unable to get an authorization point from localhost due to CORS #1188

Closed RMo-Sloth closed 4 years ago

RMo-Sloth commented 4 years ago

Bug

I was following along https://docs.esi.evetech.net/docs/sso/web_based_sso_flow.html (step 5) Running the html file below from a localhost. Browsers block this request due to CORS. In my console this error is thrown: POST https://login.eveonline.com/v2/oauth/token net::ERR_HTTP2_PROTOCOL_ERROR

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head></head>
<body>

<script type="text/javascript">
  function fetchIt() {
  var myHeaders = new Headers();
  myHeaders.append("Host", "login.eveonline.com");
  myHeaders.append("Authorization", "Basic NThmYjljMGEwMdwRjhEZEN1MWhMSE5YNk5RMFIwdUtZTzBNZkpCZw==");
  myHeaders.append("Content-Type", "application/x-www-form-urlencoded");

  var urlencoded = new URLSearchParams();
  urlencoded.append("grant_type", "authorization_code");
  urlencoded.append("code", 'code');

  fetch("https://login.eveonline.com/v2/oauth/token", {
    method: 'POST',
    headers: myHeaders,
    body: urlencoded,
    redirect: 'follow'
  })
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));
}
</script>
<button id='button' type="button" name="button" onclick='fetchIt()'>Fetch Auth</button>
</body>
</html>

Request

Requests work outside of browsers in e.g. Postman

Response

this error is thrown: POST https://login.eveonline.com/v2/oauth/token net::ERR_HTTP2_PROTOCOL_ERROR

Status Code

net::ERR_HTTP2_PROTOCOL_ERROR

Headers

Authorization: Basic <URL safe Base64 encoded credentials> Content-Type: application/x-www-form-urlencoded Host: login.eveonline.com

Body

none

Expected

On as successful request with the correct data:

     "access_token": <JWT token>,
     "expires_in": 1199,
     "token_type": "Bearer",
     "refresh_token": <unique string>
 }

On a request with invalid data I expect a regular errorcode, not net::ERR_HTTP2_PROTOCOL_ERROR

Checklist

Check all boxes that apply to this issue:

Blacksmoke16 commented 4 years ago

I'm pretty sure this is because you cannot get a refresh token via the front end. You would need a server to handle converting the authorization_code into an access_token/refresh_token.

If you don't have a server to do this, another option is to use the implicit flow. This would allow you to get a token via solely the frontend, but it would expire in 20min and you would have to go thru the SSO flow again in order to refresh it.

For the implicit flow, when you do the redirect to the login page, change the response_type query param to token instead of code.

Something should probably get added to the docs site about this.

EDIT: This is also not related to ESI. If the problem persists, make a new issue in the https://github.com/ccpgames/sso-issues repo.