CORS error from token endpoint when using "Auth Code Flow + PKCE"

Question

I am trying to use the Auth Code Flow + PKCE flow via the redux-oidc package. Everything works fine up to the final POST request for an access token, when a CORS error is returned: "Access to XMLHttpRequest at 'https://subdomain.onelogin.com/oidc/2/token' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."

From the answer to a related question:

"OneLogin only supports CORS for generating a session token."
"If you must authenticate users from the client side ... Please use either OpenId Connect Implicit flow or Authorization Code flow + PKCE."

It is not clear to me how the Auth Code + PKCE flow can be used from the client side if the token endpoint does not support CORS.

score 0 · Answer 1 · answered Apr 17 '20 at 22:37

0

The OneLogin OpenId Connect service does not currently support CORS on the the Auth Code + PKCE flow. However there is a release planned for the last week of April 2020 that will enable CORS.

answered Apr 17 '20 at 22:37

Rich

101
2

CORS error from token endpoint when using "Auth Code Flow + PKCE"

1 Answers1