2

I am using oauth2 to handle a user login via facebook. The error occurs when I call the authorization server in the golang api.

Here is the network error.

Fetch API cannot load https://www.facebook.com/dialog/oauth?client_id=1543358959292867&redirect_u…=email+public_profile&state=mUi4IpdY8yF5TNVVptMNNSn8IbVSZxJXTSEFM8Zg8LM%3D. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

network info (chrome)

Request URL:https://www.facebook.com/dialog/oauth?client_id=1543358959292867&redirect_uri=http%3A%2F%2Flocalhost%3A7001%2FFBLogin%2FCallback&response_type=code&scope=email+public_profile&state=lkmenB4FjNOShUQzL0Gpymi1xsvauaL7TawmUjCyvI4%3D Request Method:GET Status Code:302 Remote Address:[2a03:2880:f003:c1f:face:b00c:0:25de]:443

request headers

:authority:www.facebook.com :method:GET :path:/dialog/oauth?client_id=1543358959292867&redirect_uri=http%3A%2F%2Flocalhost%3A7001%2FFBLogin%2FCallback&response_type=code&scope=email+public_profile&state=KPbwnGWQoI7PHvwhJ_JvZ7RowPthjqpaDTgKVI5NHrM%3D :scheme:https accept:*/* accept-encoding:gzip, deflate, sdch accept-language:en-US,en;q=0.8 origin:null referer:http://localhost:3000/ user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36

Javascript function that calls server api.

let loginUrl = "http://localhost:7001/FBLogin" //server url let config = { method: 'GET', mode: 'cors', } fetch(loginUrl, config).then(response => { ... }

Golang function that calls oauth authorization server (facebook).

func FBLogin(w http.ResponseWriter, r *http.Request) { state, err := hashutil.GenerateRandomState() logutil.Fatal(err) url := config["fb"].AuthCodeURL(state) logutil.OauthSessionLogger(state) http.Redirect(w, r, url, 302) }

I set the proper headers on the server side following this guide. Setting HTTP headers in Golang

I can't seem to find where the error comes from. (facebook API developer console, the callback headers in the server code, or the javascript initiating the call? I spent a lot of time changing the server headers but the error still persists as a CORS issue.

The origin in my request header is null, is that something to consider?

edit added no-cors mode result.

FBLogin 302 text/html SessionActions.js?524b:35 736 B 5 ms
oauth?client_id=154335&redirect_uri=http%3A%2F%2Flocalhost%3A7001%2FFBLogin%2FCallback&D 302 text/html
http://localhost:7001/FBLogin 611 B 57 ms
login.php?skip_api_login=1&api_key=154335 200 All three calls were successful, but was never redirected to the oauth page even when it said so. The response type was 'opaque' with a status 0.

Community
  • 1
  • 1
goda
  • 186
  • 2
  • 15
  • Not sure it will help as I can't find any way to set the 'request mode' but it might help you to understand what needs to be done. Basically, your headers are not the problem. The issues is in the response headers which need to indicate you're allowed to load the page. If there is not an `Access-Control-Allow-Origin` white listing the domain requesting a resource the browser is supposed to block that response. The error claims you can set a `no-cors` mode for your request, that's what needs to be done. Time allowing, I'll read Request.go's source and try to provide an actual implementation. – evanmcdonnal Apr 28 '16 at 20:35
  • One other thing, it's definitely not an option on the request. I recommend checking out the `Client` and the `RoundTripper`. The latter is an interface and you can replace the one being used with your own implementation, it's likely the solution will require you to do so. – evanmcdonnal Apr 28 '16 at 20:40
  • In the request headers, should the origin be 'localhost:7001', instead of null? Or is it the problem that facebook oauth link is not whitelisting any domains because it does not have 'Access-control-allow-origin' header? – goda Apr 29 '16 at 14:22
  • Problem is on the FB end of things, it has no `Access-Control-Allow-Origin` so no other domains are allowed to make the request for that url. The error indicates there is a setting on the Go side you can change so that CORS is not checked. – evanmcdonnal Apr 29 '16 at 15:58

1 Answers1

0

a network trace using wireshark or tcpdump can help to find what's going on or capture http traffic using any firefox plugin to capture live headers.

Jitendra
  • 59
  • 2
  • 3