CORS issue with OneLogin using Custom-Allowed-Origin-Header-1

Question

we are having an issue making an API call to generate an OAuth token. Our call looks like this:

// Reusable variables
var oneloginURL = "https://api.us.onelogin.com";
var oneloginSessionURL = "https://rxsense.onelogin.com";

// Axios objects for AJAX calls, For onelogin calls only
var ONELOGIN_API = axios.create({baseURL: oneloginURL})
var ONELOGIN_SESSION_API = axios.create({baseURL: oneloginSessionURL})

const REQUIRED_CONFIG = {
    ONE_LOGIN: {
        LOGIN: {
            BASE: "https://api.us.onelogin.com",
            METHOD: "POST",
            ROUTE: "/api/1/login/auth"
        },
        TOKEN: {
            BASE: "https://api.us.onelogin.com",
            METHOD: "POST",
            ROUTE: "/auth/oauth2/v2/token"
        },
        SESSION_TOKEN: {
            BASE: "https://rxsense.onelogin.com",
            METHOD: "POST",
            ROUTE: "/session_via_api_token"
        }
    },
}

const services = {
    BASE_URL: baseURL,
    ACCESS: REQUIRED_CONFIG,
    sendRequestForOneLogin: function(service = ONELOGIN_API, method, route, params, config) {
        switch(method) {
            case 'GET': return service.get(route, params);
            case 'POST': return service.post(route, {params,config});
            case 'PUT': return service.put(route, params);
        }
    },
}

// Methods calling the services
generateOneLoginToken: function() {
    let params = {
        'grant_type': 'client_credentials',
    }
    let config = {
        auth: {
            username: "clientname",
            password: "clientsecret",
        },
        headers: {
            "Custom-Allowed-Origin-Header-1": "http://localhost:8080"
        }
    }
    return this.sendRequestForOneLogin(
        ONELOGIN_API,
        this.ACCESS.ONE_LOGIN.TOKEN.METHOD,
        this.ACCESS.ONE_LOGIN.TOKEN.ROUTE,
        params,
        config
    );
},
loginOneLogin: function() {
    let params = {
        'username_or_email': 'uname1',
        'password': 'pass@123',
        'subdomain': 'mydomain'
    }
    let config = {
        headers: {
            "Custom-Allowed-Origin-Header-1": "http://localhost:8080",
            "Authorization": 'bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
        }
    }
    return this.sendRequestForOneLogin(
        ONELOGIN_API,
        this.ACCESS.ONE_LOGIN.LOGIN.METHOD,
        this.ACCESS.ONE_LOGIN.LOGIN.ROUTE,
        params,
        config
    );
},

Error that is getting displayed is:

“Access to XMLHttpRequest at 'https://api.us.onelogin.com/auth/oauth2/v2/token' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.”

Is this an issue with using localhost as the URL? I know there is documentation suggesting using the Custom-Allowed-Origin-Header-1 Header to resolve this issue but we are still seeing it on our end. If we cannot use localhost as the parameter for the CORS URL, would we be able to use the private IP address of the server making the call?

Answer 1

The request to get an Access Token should not be done from client side javascript as it means you have exposed your client_secret to the internet.

OneLogin only supports CORS for generating a session token. Again you should not make the original login request from client side javascript but you have the right idea with setting the "Custom-Allowed-Origin-Header-1" header on this request.

You would then make a request to generate a session based on the token returned from the first request. In effect this is a client side call that returns cookies to enable SSO. https://developers.onelogin.com/api-docs/1/login-page/create-session-via-token

If you must authenticate users from the client side this method is not the recommended approach. Please use either OpenId Connect Implicit flow or Authorization Code flow + PKCE.