CORS preflight request for oAuth authentication

Hi all,

I’m implementing Oauth on an application using GitHub to provide authentication tokens.

I’ve set up a dummy app on github with the following settings:

If no valid authentication token is found the application’s server requests a redirect to https://github.com/login/oauth/authorize?response_type=code&client_id=12345&redirect_uri=http://localhost.io:8081/&scope=user%20public_repo&state=d0d01327d9dd2d92&access_type=offline&approval_prompt=force

This causes the browser to send a preflight CORS request to github with the following headers:

  • Access-Control-Request-Headers: x-csrf-token-required-for-requests,x-xsrf-token
  • Access-Control-Request-Method: GET
  • Origin: http://localhost.io:8081
  • User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36

The request is always met with a 404 not found response. I understand this sometimes happens if the server is not happy with one or more of the received headers.

Clicking on the redirect url directly takes me to the ‘log in with Github’ page as expected.

I assume GitHub permits CORS preflight requests so if can anyone shed some light on what I may be doing wrong I’d be most grateful.

HI @frogfather,

Thanks for being here! I’ve noticed there was a support request with your issue.  Were you able to send the access token via the access_token query string parameter instead of the Authorizationheader? Is your issue resolved?

Hi Andrea,

Unfortunately no. The issue is that the preflight OPTIONS request to the github authorisation page returns a 404 error so I don’t actually get as far as receiving a token! As far as I know the preflight request only has three mandatory headers: Access-Control-Request-Method, Access-Control-Request-Headers and Origin. My preflight request has all of those.