CORS errors on oauth token refresh?

[msakrejda]

We occasionally see this error when talking to id.heroku.com:

XMLHttpRequest cannot load https://id.heroku.com/oauth/authorize?response_type=code&scope=global&client_id=<redacted>. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://data.heroku.com' is therefore not allowed access.

(see https://github.com/heroku/herokudata/issues/368). I don't think it's an identity issue per say, but I figure it may be familiar. I think this happens during our oauth token refresh, but I'm not sure why or how. Have you seen this before? Do you know what we might be doing wrong?

[msakrejda]

So the issue is that we were not filtering XHRs properly in our auth middleware, and we would in some situations send a 301 to the client to hit our oauth endpoint directly--which obviously can't work. The fix is entirely on us and there is no issue in identity.

[dmcinnes]

Thanks for the follow up 👍