OAuth app gets blocked by CORS


I’ve been struggling with this since days…

First, here is what i’m trying to do:

I registered an application on Github OAuth Apps.

In my app i’m redirecting the user to github for login and authorization.

Once he gets redirected to my callback site i’m getting the code and want to exchange it for an access token.

And there comes my problem:

i always get the error:

Access to XMLHttpRequest at ‘https://github.com/login/oauth/access_token?code=…&client_id=…&client_secret=.…’ from origin ‘https://aionixx.github.io’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Heres what i’ve done:

async function getAccessToken(token: string | null): Promise<void> {
    if (token) {
      let request: XMLHttpRequest = new XMLHttpRequest();
      request.open("post", "https://github.com/login/oauth/access_token", true);
      request.setRequestHeader("client_id", CLIENT_ID);
      request.setRequestHeader("client_secret", CLIENT_SECRET);
      request.setRequestHeader("code", token);
      request.setRequestHeader("Accept", "application/json");
      request.onload = () => {

Is there anyone who can help?

I don’t think that API is designed to be used from the client because it is very dangerous for you to make the CLIENT_SECRET able to be observed in your app. You are basically handing keys to the kingdom out if that is visible to anyone at any time. That is designed to be a server-side call only. There might be flows available for client-side only, and you can check that out more by investigating how that is done in OAUTH 2