0

I'm using this part of the Outlook API. It says that you should be able to do a post request, however when I try I get the following error:

Failed to load https://login.microsoftonline.com/common/oauth2/v2.0/token: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3003' is therefore not allowed access. The response had HTTP status code 400.

How do I fix this though? I obviously don't have access to Outlook's servers, but surely they would let me do a post request considering that's what it says to do in the documentation!.

Here is my code by the way if that helps:

<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<script>
  let url = new URL(window.location);
  let code = url.searchParams.get('code');
  let redirect = 'http%3A%2F%2Flocalhost%3A3003%2Fauth-process-token.html';
  let clientId = '<MY ID>';
  let clientSecret = '<MY KEY>';

  var req_string = 'grant_type=authorization_code&code=' + code + '&redirect_uri=' + redirect + '&client_id=' + clientId + '&client_secret=' + clientSecret;

  $.ajax({
    type: 'POST',
    url: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
    crossDomain: true,
    data: req_string,
    dataType: 'application/x-www-form-urlencoded',
    success: function (responseData, textStatus, jqXHR) {
      var value = responseData.someKey;
    },
    error: function (responseData, textStatus, errorThrown) {
      console.log('POST failed.', errorThrown);
    }
  });
</script>

EDIT: I fixed the "bad request" error, but it still gives me the other one.

Ethan
  • 3,410
  • 1
  • 28
  • 49
  • One work around is to have CORS filter in your chrome browser. Just an alternative to get things working. https://chrome.google.com/webstore/detail/cors-toggle/jioikioepegflmdnbocfhgmpmopmjkim – Anirudh Dec 18 '17 at 03:45
  • the problem is, you are making a **bad request (400)** - perhaps MS don't issue CORS headers to poor API implementers – Jaromanda X Dec 18 '17 at 03:47
  • perhaps you're not doing the **previous** steps correctly – Jaromanda X Dec 18 '17 at 03:50
  • This is Oauth2 grant type "Authorisation Code". The response will be sent back only to the callback url or redirect url specified in client configuration. Your ajax call may not be receiving a response back. – TejSoft Dec 18 '17 at 03:55
  • 1
    Try oauth2 "implicit flow" which is applicable for SPA. The documentation is: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-implicit – TejSoft Dec 18 '17 at 04:14
  • @JaromandaX I fixed them but the CORS one still comes up (edited) – Ethan Dec 18 '17 at 04:24
  • you fixed what? if you're getting a "bad request (400)" error, then it's nothing to do (yet) with CORS - you are making a **bad request** – Jaromanda X Dec 18 '17 at 04:25
  • @JaromandaX I'm saying I fixed that error (it no longer occurs), but the CORS one still does – Ethan Dec 18 '17 at 04:26
  • So, you get an authorization code successfully? `https://login.microsoftonline.com/common/oauth2/v2.0/authorize` ? note: your error still says `The response had HTTP status code 400` ... i.e. **bad request** - so, removing the message about bad request from the question hasn't actually fixed the **bad request** – Jaromanda X Dec 18 '17 at 04:27
  • try changing `http%3A%2F%2Flocalhost%3A3003%2Fauth-process-token.html` to `http://localhost:3003/auth-process-token.html` – Jaromanda X Dec 18 '17 at 04:36

1 Answers1

0

One workaround for this is by using cors.io 

http://cors.io/?http://your_link

so it would be

http://cors.io/?https://login.microsoftonline.com/common/oauth2/v2.0/token
illiteratewriter
  • 4,155
  • 1
  • 23
  • 44
  • Thanks, although I don't think doing OAuth stuff through a 3rd-party service is a very safe idea.. – Ethan Dec 18 '17 at 04:09
  • probably not a CORS issue anyway if previous steps worked ... `code: the authorization code obtained in the prior step` is clearly working – Jaromanda X Dec 18 '17 at 04:13
  • I thought it was CORS issue, I was working with local servers and ran into the same error and i used this as a temporary work around(, later i moved both client and server to same port.) – illiteratewriter Dec 18 '17 at 04:18
  • the fact that OP is able to get authorization code suggests it's not a CORS issue - authorization code is retrieved from same server as authorization token - the fact that OP is getting a bad request (despite saying otherwise, but http status 400 is bad request) suggests he's making a ... drum roll ... bad request – Jaromanda X Dec 18 '17 at 04:33