Authorize on spec not passing client id and secret in the request to get Access Token

Former Community Member
Not applicable

I have a proxy that uses OAuth2 to get APIGEE generated access token from a GetToken proxy.

But when I try the Authorize, i am unable to see the clientid and secret being passed in the headers. And also the request is going out from Authorize button as OPTIONS.

I added CORS on the GetToken proxy and still not working.

0 1 338
1 REPLY 1

But when I try the Authorize, i am unable to see the clientid and secret being passed in the headers. also the request is going out from Authorize button as OPTIONS.

Yes. Your web page is probably sending out the CORS pre-flight request. This is an OPTIONS request, not a POST request. Therefore you should not expect to see the client_id and client_secret in the header. The first thing the web page does is send the OPTIONS request. IF the response to the OPTIONS request is adequate, then the web page will send out the POST request that you have in your JavaScript. If the response to the OPTIONS (pre-flight) request is not adequate, then the web page won't send out the POST request, and you will get no token.

I think maybe your API Proxy is not properly handling the CORS pre-flight request.

I added CORS on the GetToken proxy and still not working.

How did you "add CORS"? Be specific. What policy or policies did you add? how did you attach them into the API Proxy? Can you send a trace of the OPTIONS request and response?