Access token endpoint taken away?

arjan.panesar · March 30, 2023, 7:59pm

I’m having an issue with access tokens (or maybe it’s just my understanding of them).
So the user logs in and the getAccessTokenSilently makes an access token depending on the audience - great.
When I’m now trying to get an access token to make a HTTP request to my serverside I use the following code - pretty much copy and pasted (changed to fetch instead of requests) from the settings tab of the API page:
const options = { method: ‘POST’, headers: { ‘Content-Type’: ‘application/json’, }, body: JSON.stringify({ client_id: ‘CLIENT_ID’, client_secret: ‘CLIENT_SECRET’, audience: ‘API_IDENTIFIER’, grant_type: ‘client_credentials’ }) };


    fetch('https://<DOMAIN>/oauth/token', options)
      .then(response => response.json())
      .then(data => console.log(data))
      .catch(error => console.error(error));

But I'm getting a 'has been blocked by CORS policy' error - is this endpoint call been taken away. I'm confused because this was the code that it told me to put in? How do I get an access token with the audience of my API_Identifier.

sylvainf · March 31, 2023, 11:55am

Hi @arjan.panesar,

The endpoint still works fine for me. Are you making this request locally to your server? I know that some browsers disable CORS for security purposes. There are ways to disable these temporarily for testing purposes.

arjan.panesar · March 31, 2023, 4:25pm

Oh okay. I don’t know if I’m following best practises, I’ve got a react app - so am using PKCE. I’m making the requests to the /oauth/token endpoint from my client (currently I’m doing this on localhost in a test environment).

I tried to disable cors using: chrome.exe --disable-web-security this also didn’t work.

My understanding is that to make get and post requests to my server from my client, having them secured via access tokens, the audiences from both getAccessTokenSilently and auth (from the express-oauth2-jwt-bearer const { auth } = require(‘express-oauth2-jwt-bearer’) have to be the same. But does this require user consent to send to my sever?

I’m basically trying to get an access token clientside to communicate with my server.

sylvainf · April 1, 2023, 12:20pm

In my case I also had to disable GPU and set a temporary data dir for Chrome to accept launching without CORS (example below - adapt your TEMP dir to your liking)

Please note that this mainly applies to testing because of the security concerns coming with disabling cors.

chrome.exe --disable-web-security --disable-gpu --user-data-dir=your_temp_dir_here

Topic		Replies	Views
Getting logged out (and thus a No Auth Token Found) error when trying to generate a token? Help	3	2014	July 29, 2021
CORS error when trying to access the 'oauth/token' endpoint Help apis , application	0	1295	March 31, 2023
Trying to get a access token Help	13	4581	March 3, 2021
Access Token after getting auth code Help	1	3076	January 5, 2019
Authorization fails when trying to fetch /api/v2/users/ Help management-api , users	2	1697	November 14, 2022

Access token endpoint taken away?

Related Topics