CORS error using refresh token from Angular running locally

matthewharshbarger · May 25, 2023, 1:34pm

We are creating an Angular app running on “http://localhost:4200” that we have working to pull back ID, Access and Refresh tokens but when we try to leverage the Refresh token from a front end JS call to pull back new ID and Access tokens we get a CORS error.

Error: “has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource”

Looking at old devforum posts like “CORS headers for /oauth2/v1/token” makes us confused on if this should even work via frontend call and if we should be trying to leverage our custom authorization server or use default or exclude it altogether from the call.

The “.well-known/oauth-authorization-server” for our custom authorization server endpoint shows that we should be using “oauth2/{authserver}/v1/token”. We have “http://localhost:4200” added to Trusted Origins and have tried all the following API calls formats but all fail.
* /oauth2/v1/token
* /oauth2/default/v1/token
* /oauth2/{authserver}/v1/token

We are using “/oauth2/{authserver}/v1/{authorize/introspect}” for all the API calls that are working from our Angular app but are having CORS issue only with the “token” endpoint.

andrea · May 25, 2023, 6:04pm

Hm, you shouldn’t need a Trusted Origin entry for these requests and the request paths you indicated all look correct (for each different type of authorization server of course).

Do you have a screenshot of one of these CORS errors you can share here?

matthewharshbarger · May 25, 2023, 9:19pm

The following image shows the CORS errors for each of the 3 way’s the developer tried to call the /token endpoint attempting to leverage a refresh token.

andrea · June 2, 2023, 9:34pm

And the org you’re using definitely has the Default Authorization Server?

matthewharshbarger · June 4, 2023, 3:18am

We have a default Authorization Server that shows a “Default” label under the name but we are not using it for the Auth Code flow. We are using one of our custom domain Authorization Servers which works to give us the ID, Access and Refresh tokens but we cannot get the Refresh token to work to fetch new tokens. We tried Default Auth Server just to see if that would work but it did not.

Would you be willing to jump on a video call next week with the developer to do a quick review?

andrea · June 5, 2023, 4:00pm

If you need hands-on assistance, you’ll need to open a support case.