Error: Generating Access Token while calling API from External Application

Question

We have created Widget (Using Velocity) which is dynamically fetching group, forum, tags based on user selection. The widget is working fine within community. Our requirement is to call this widget from external application. 
 To implement this we are generating access token using the instruction (Using the Authorization Code Grant Type) provided at the below link ( community.telligent.com/.../authentication 
 We are getting the below error. 
 ' community-qa.thomsonreuters.com/.../authorize from origin 'community-dev.thomsonreuters.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request." 
 Any help will be appreciated.

Satish Kumar (3sides) · Answer

Hi, 
 As per the above conversation its clear that you are using a grant type as code so you need to form the URL as below 
 
http://community-qa.thomsonreuters.com//api.ashx/v2/oauth/authorize?response_type=token&client_id=placeyourclientid&redirect_uri=placeredirecturlhere 
 and if you type this URL directly on the browser you should see the login screen as below

And the you need to allow the application click allow on next screen 
 
 And then you should be redirected back to your return url page with the access token and Expiry time as query string parameters

Patrick M. · Answer

Taking the CORs issue aside, which is really something that is beyond the scope of community support, especially from a third party application, if you are doing any of this via javascript on that site I would re-evaluate doing it this way all together.

When you do this in javascript on the client, you are exposing your client secret to ANYONE who can view the source of the page, which means any user can take that secret and access the API and depending on how you have your client configured, possibly with administrative rights.

It is more appropriate to proxy all REST requests server side, meaning you expose an HTTP endpoint to your app, then the app makes the REST request on the server. This not only makes sure your secret is not compromised, but also completely eliminates your CORS issues.

Former Member · Answer

You're making requests from your dev instance against another instance ( community-qa.thomsonreuters.com ). Is this what you intend to do, rather than setting up an OAuth client fully in your dev environment for testing? 
 If so, check your CORS settings under Administration > Integration > CORS. You may need to allow dev requests from the dev url on the community-qa.thomsonreuters.com site.

Error: Generating Access Token while calling API from External Application

Top Replies