Hello, I have a CORS issue when I send a post request from react app to get token of Resource owner password flow.
Te request POST is https://dev-71630461.okta.com/oauth2/*********/v1/token and the react app is on http://localhost:5173.
I’ve already applied the trusted origin on autorization servers like you can see on the picture.
My company name is okta-dev-digitalbanking. Please, Could you help me?
Hi @fguzman. The resource owner password flow is not available for SPAs. Please try using a different grant type.
@fguzman per @louie’s note since you are using react to develop a single page app (SPA) consider using Authorization Code Flow with PKCE OAuth 2.0 and OpenID Connect Overview | Okta Developer. This is recommended bec SPAs are considered public clients that have no way to store client credentials i.e. client secrets. Check out our sample here for more guidance GitHub - okta/samples-js-react: React Auth SDK sample.
Hi @louie thanks for your answer. I wonder if it is possible to change that? For the project, I need to get token from a SPA. it is an high trust app.
Hi @sigama thank you. I understand what you’re saying, however, for the project that I’m working on, it is necessary to use the resource owner password flow.
Hi @fguzman, your secure options and our secure recommendations are: to use Auth Code Flow with PKCE or run the Resource Owner Password Flow from the backend.
There are even more patches currently in the works. I am writing a draft for best practices for single-page apps, and the latest Security Best Current Practice (BCP) is currently in the final call. The single-page apps draft recommends using PKCE with JavaScript apps and says you should no longer use the Implicit flow. The Security BCP effectively deprecates the Implicit flow as well as the Password grant out of OAuth entirely, and further recommends using PKCE even for web server apps.
Resource Owner Password grant type is a flow used by trusted first-party clients. Because of the risks involved in applications directly handling credentials, OAuth 2.0 no longer recommends this grant type and it will be dropped in the upcoming OAuth 2.1. There might be legacy applications requiring this flow, but that’s the only reason to use it.
https://oauth.net/2/grant-types/password/
The Password grant type is a legacy way to exchange a user’s credentials for an access token. Because the client application has to collect the user’s password and send it to the authorization server, it is not recommended that this grant be used at all anymore.
