3

Im connecting to the Xero oauth server 'https://login.xero.com/identity/connect/authorize' through an Angular 7 app using the angular-oauth2-oidc package.

In my authConfig i have the following properties

export const authConfig: AuthConfig = {
  issuer: 'https://login.xero.com/identity/connect/authorize',
  redirectUri: 'http://127.0.0.1:2114/xerocallback',
  clientId: 'XXXXXXXXXX647C2ABBAXXXXXXXXXX',
  scope: 'openid profile email offline_access',
  responseType: 'code',
};

However, as soon as i initialize the oauth service

import { OAuthService } from 'angular-oauth2-oidc';
this.oauthService.configure(authConfig);

i get the following CORS error

Access to XMLHttpRequest at 'https://login.xero.com/identity/connect/authorize/.well-known/openid-configuration' from origin 'http://localhost:2114' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

any idea of what im doing incorrectly, any suggestions would be welcomed

Nico von Ronge
  • 31
  • 2

1 Answers1

8

The Xero Identity provider doesn't currently support the PKCE flow from SPAs and Mobile devices – it only supports code flow from server-side web applications (where you provide the client_secret). This means you can't currently access our API directly from a browser-based application.

If this would be useful to you, raise a feature request on our UserVoice page and we can look into it: https://xero.uservoice.com/

– Josh (Xero)

Josh Barr
  • 116
  • 1