CORS Policy denying fetch but I am in trusted origins

JohnIGonza · February 7, 2023, 4:37pm

So I have some code here I am using to find out which groups a certain user is in. I already have fetched the user info, I did the same process for requesting group info but I continue getting a CORS denied error every time. Here’s the code:

//Checks what groups the user is currently a member of.
fetch(“https://portal.hawxservices.com/api/v1/groups”, {
method: “GET”,
headers: {
Authorization: SSWS ${accessToken},
redirectUri: ‘http://localost’,
Accept: ‘application/json’,
ContentType: ‘application/json’
}
})
.then(response => {
if (!response.ok) {
throw new Error("HTTP error " + response.status);
}
return response.json();
})
.then(groups => {
// Store each group in a separate constant
groups.forEach(group => {
const groupName = group.profile.name;
window[groupName] = group;
});

                            // Check which groups contain the email
                            const groupsContainingUsername = groups.filter(group => {
                                return group.profile.name.includes(email);
                            });

                            console.log(`Groups of which you are a member:`);
                            console.log(groupsContainingUsername);
                        })
                        .catch(error => {
                            console.error(error);
                        });

Here is the exact error I get:

Access to fetch at ‘https://portal.hawxservices.com/api/v1/groups’ from origin ‘http://localhost’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

andrea · February 7, 2023, 4:49pm

The Groups endpoint is not CORS enabled. You can tell which Management endpoints are CORS enabled by looking for the CORS tag, see the tag for /Users here. So you won’t be able to call this endpoint client-side.

More details can be found here as well.

Would storing group membership information in a groups claim be sufficient for your use case?

JohnIGonza · February 7, 2023, 4:52pm

Thanks Andrea! So, how would I got about accessing which groups the user is in?

andrea · February 7, 2023, 4:54pm

Groups claim is one way to go about it. Since you already seem to be grabbing an Access Token for the user to get their user profile information (so I presume this token is returned via Auth Code or Implicit flow), you can also set-up a Groups claim for the OIDC app in question and retrieve their group membership information from the Userinfo endpoint.

Definitely check out the guide I linked to above and see if this would work well for you.