CORS issue when calling /oauth/device/code in device-flow

Hi all,
I am trying to integrate Auth0 device flow in our TV application (it’s web based) following this guide Call Your API Using the Device Authorization Flow

I set the Allowed Web Origins in the app settings, it works when we call the api /oauth/token but it fails for the api /oauth/device/code with the error: No ‘Access-Control-Allow-Origin’ header is present on the requested resource

is it a bug or am I missing something?

thanks,
Antonio

@salvan13 did you ever figure this out? I’m seeing the same behavior.

Im having exactly the same problems. Did you manage to resolve the issue?

For sending data in application/x-www-form-urlencoded format from web, we need to send data using URLSearchParams

For eg.
const params = new URLSearchParams();
params.append(‘client_id’, ‘YOUR_CLIENT_ID’)
params.append(‘audience’, ‘YOUR_AUDIENCE_URL’)
params.append(‘scope’, ‘YOUR_REQUIRED_SCOPES’)

Then send this params as data when you call api using fetch or axios

Also having the exact same problem. It’s obvious that the response from the auth0 endpoint ( /oauth/device/code) is missing the header, even though allowed origins are correctly configured in the app settings.

This error is due to the fact that the /oauth/device/code endpoint does not handle CORS pre-flight (OPTION) requests, unlike the /oauth/token endpoint. I am not sure why this limitation is in place though…

OPTIONS /oauth/device/code HTTP/1.1
Host: my-tenant.eu.auth0.com
Origin: https://example.com
Access-Control-Request-Method: POST
Accept: */*
HTTP/1.1 404 Not Found

This prevents browsers from making any calls to that endpoint…

Note, that the WEB ORIGINS option is taken into account when there is an Origin header as performing a POST request with an invalid origin yields:

HTTP/1.1 403 Forbidden
...

{
	"error": "access_denied",
	"error_description": "Origin https://example.com is not allowed. Behavior used for check: WEB ORIGINS"
}
1 Like