I’m trying to use the PKCE flow as I don’t have a server. I’ve gotten through setting up the whole flow with the code challenge and everything only to find out that “No ‘Access-Control-Allow-Origin’ header is present” on the token URI. Here’s the fetch:
await fetch('https://www.warcraftlogs.com/oauth/token', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
client_id: clientId,
code_verifier: verifier,
redirect_uri: 'http://localhost:8000/oauth',
grant_type: 'authorization_code',
code
})
})
I’ve confirmed I’ve set up everything else correctly because just for kicks I tested it with a normal form POST and got an access token. Obviously, that won’t work for applications because the response is JSON and doesn’t redirect back to the application again.
I think for PKCE to work in a browser-based web app, you need to set the CORS header on the token URI.
Thanks!