This repository was archived by the owner on Nov 18, 2021. It is now read-only.
This repository was archived by the owner on Nov 18, 2021. It is now read-only.
OAuth web flow endpoints don't support CORS #330
Open
Description
All of the API v3 endpoints on api.github.com support CORS (https://developer.github.com/v3/#cross-origin-resource-sharing): however, the github.com endpoints involved in creating an OAuth2 access token via the Web Flow, specifically https://github.com/login/oauth/access_token, don't support the OPTIONS method or CORS headers necessary to POST to it and get the access_token back.
This is a bug. Denying cross-origin access here doesn't help security, as it is most easily worked around by doing the POST requests through a potentially-insecure third-party open reverse proxy (as implemented using https://cors-anywhere.herokuapp.com/https://github.com/login/oauth/access_token on http://stuartpb.github.io/gistachio/demo.html).
Metadata
Metadata
Assignees
Labels
Projects
Milestone
Relationships
Development
No branches or pull requests
Activity
stuartpb commentedon Jan 8, 2015
On 1/8/2015 12:56 AM, Ivan Žužak wrote:
stuartpb commentedon Jan 8, 2015
Ivan has a point, and implicit OAuth really would be the correct solution here. The app I'm exposing the client_secret in is a demo, so I don't really care if it can be impersonated or wiped, but in general sending client_secret to the browser is wrong, and I certainly wouldn't do it for any meaningful app.
(I'd been considering it for a browser extension, but I didn't know / hadn't considered that the client_secret can be used to invalidate all tokens, so now I'm definitely going to set up a lightweight token generator server to obscure the secret.)
However, I'm not really a fan of GitHub's "security through not fixing bugs that are situationally mildly discouraging" rationale (as seen here and in #316).
ericsoco commentedon Aug 16, 2016
I wasted the better part of a day on this dead end, trying to get the implicit OAuth2 flow to work w/ GitHub's API. I didn't notice the fine print at the top of the docs.
It seems like way too much of a hurdle to have to spin up a server just to connect an application to GitHub. But for future reference, here's a simple one, tailor-made for this problem:
https://github.com/prose/gatekeeper
wonderbeyond commentedon Feb 8, 2017
I want to make a pure-javascript in-browser gist client, So CORS support is necessary!
axetroy commentedon Apr 25, 2017
@wonderbeyond
That's great! I am doing something like you.
a serveless website, All data from Github api, so back the point.
CORS support is necessary!
moodysalem commentedon Jul 17, 2017
I want to build a password database hosted in a private GitHub repository and I can't build trust because the access code has to be sent to an endpoint I host that trades a access code for a token
pdelta/pdelta.github.io#1
amaralDaniel commentedon Feb 7, 2018
Any updates on this?
mrahman1122 commentedon Apr 4, 2018
Have there been any updates on this issue??
chulman444 commentedon Dec 26, 2018
The request is successful in the network tab of the chrome dev tool. I can see my
access_token
in it, however I can't retrieve theaccess_token
in my script because of the error... blocked by CORS policy: No 'Access-Control-Allow-Origin' header
.Sending the access_token request with
axios.post(url_with_oauth_params)
.So, is this resolved, or was it like this before?; seeing successful request-response in the network tab, but unable to retrieve it in the script?
34 remaining items