CORS issue when calling /oauth/device/code in device-flow

matthieu-penbox · February 15, 2022, 4:22pm

This error is due to the fact that the /oauth/device/code endpoint does not handle CORS pre-flight (OPTION) requests, unlike the /oauth/token endpoint. I am not sure why this limitation is in place though…

OPTIONS /oauth/device/code HTTP/1.1
Host: my-tenant.eu.auth0.com
Origin: https://example.com
Access-Control-Request-Method: POST
Accept: */*

HTTP/1.1 404 Not Found

This prevents browsers from making any calls to that endpoint…

Note, that the WEB ORIGINS option is taken into account when there is an Origin header as performing a POST request with an invalid origin yields:

HTTP/1.1 403 Forbidden
...

{
	"error": "access_denied",
	"error_description": "Origin https://example.com is not allowed. Behavior used for check: WEB ORIGINS"
}

Topic		Replies	Views
CORS issues on oauth authorization url Get Help	1	3576	July 25, 2019
CORS issue on /oauth/token request Get Help cors , token-endpoint	5	8984	September 3, 2019
CORS issue in Auth0 Get Help cors , access-control-allow	2	5911	March 2, 2018
CORS Origins not working properly Get Help cors	5	6298	June 20, 2019
Missing "Access-Control-Allow-Origin" header in CORS pre-flight for "/authorize" endpoint Get Help cors	5	8164	March 13, 2025

CORS issue when calling /oauth/device/code in device-flow

Related topics