You need to sign in to do that
Don't have an account?
Brian Cunningham 11
Salesforce.com REST authentication CORS issue
I am doing some integration with the salesforce.com api but I have hit a roadblock.
Using some javascript I want to 1. Post a username/password to get authentication token EG: https://login.salesforce.com/services/oauth2/token?&client_id=XXX-XXX&client_secret=YYYYYY&grant_type=password&password=BLAHBLAHP&username=BLAH@BLAH.com 2. Use this token to make subsequest requests to the salesforce API.
When I make the above request it works fine as long as I disable the security of the browser or have an addon that add a 'Access-Control-Allow-Origin' value to the responsed header. In this case I get back a valid response from Salesforce.
The problem is that I get CORS error when I try this from my domain: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://{{myip}}' is therefore not allowed access.
Now I understand why this restriction is enforced by the browser however the Salesforce API has an option to add whitelisted domains. I would have thought that this would have allowed me to make this work but it does not. Even though I have added my domain to the white list, the authentication request always comes back with the abve error in the console of the browser (chrome).
My question is: I am deluded to think that the whitelisting should work in my scenario? Am I missing some configuration of the salesforce app? Do I have to follow a different authentication method in order for this to work?
Any guidance would be appreciated.
PS: I know that I can set up a proxy to avoid this but I specifically want to avoid this... at least if that is possible with my current setup
Using some javascript I want to 1. Post a username/password to get authentication token EG: https://login.salesforce.com/services/oauth2/token?&client_id=XXX-XXX&client_secret=YYYYYY&grant_type=password&password=BLAHBLAHP&username=BLAH@BLAH.com 2. Use this token to make subsequest requests to the salesforce API.
When I make the above request it works fine as long as I disable the security of the browser or have an addon that add a 'Access-Control-Allow-Origin' value to the responsed header. In this case I get back a valid response from Salesforce.
The problem is that I get CORS error when I try this from my domain: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://{{myip}}' is therefore not allowed access.
Now I understand why this restriction is enforced by the browser however the Salesforce API has an option to add whitelisted domains. I would have thought that this would have allowed me to make this work but it does not. Even though I have added my domain to the white list, the authentication request always comes back with the abve error in the console of the browser (chrome).
My question is: I am deluded to think that the whitelisting should work in my scenario? Am I missing some configuration of the salesforce app? Do I have to follow a different authentication method in order for this to work?
Any guidance would be appreciated.
PS: I know that I can set up a proxy to avoid this but I specifically want to avoid this... at least if that is possible with my current setup
The Salesforce REST API doesn't yet support CORS on all request endpoints. So maybe you are using an endpoint that doesn't add the CORS headers? In the meantime, you can use a proxy: https://www.jamesward.com/2014/06/23/cross-origin-resource-sharing-cors-for-salesforce-com
I don't think the login methods support CORS. So you will need to use the User-Agent OAuth flow: developer.salesforce.com/docs/atlas.en-us.api_rest.meta/(https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_understanding_user_agent_oauth_flow.htm) And there is no way the browser will let you get the body of a cross-domain request without the CORS header. So if you want to do this from JavaScript in the browser, you will need the CORS headers.
Mark this as solved if it's resolved.
Regards,
Nagendra.P
headers["Access-Control-Allow-Origin"] = "*";
headers["crossOrigin"] = "true";
headers["Access-Control-Allow-Headers"] = "Origin, Content-Type, X-Auth-Token";
headers["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS";
headers["Origin"] = "https://<my_site_domain>.com";