I’m implementing Oauth on an application using GitHub to provide authentication tokens.
I’ve set up a dummy app on github with the following settings:
If no valid authentication token is found the application’s server requests a redirect to https://github.com/login/oauth/authorize?response_type=code&client_id=12345&redirect_uri=http://localhost.io:8081/&scope=user%20public_repo&state=d0d01327d9dd2d92&access_type=offline&approval_prompt=force
This causes the browser to send a preflight CORS request to github with the following headers:
- Access-Control-Request-Headers: x-csrf-token-required-for-requests,x-xsrf-token
- Access-Control-Request-Method: GET
- Origin: http://localhost.io:8081
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
The request is always met with a 404 not found response. I understand this sometimes happens if the server is not happy with one or more of the received headers.
Clicking on the redirect url directly takes me to the ‘log in with Github’ page as expected.
I assume GitHub permits CORS preflight requests so if can anyone shed some light on what I may be doing wrong I’d be most grateful.