Trying to do some authorization

Posted by goo on 25-Jun-2018 08:16


This is probable a bit no-Progress relatet, but  hopefully I can get some info.

It is HTML....

Doing some authentication I am receiving an Return to Our redirect_url:

I am trying to do something like this:


myParam = "&response_type=code&client_id=oidc_ovf&scope=openid profile&state=" + getURLparam('state') + "&redirect_uri=" + encodeURI("");



function getToken(inUrl,inParam){
  data: $(this).serialize() + inParam,
  success: function(data) { window.alert("Success:" + data);}

All Replies

Posted by goo on 27-Jun-2018 01:16

Ups, I can see that I forgot to ask my question, sorry....

I get this error, that seems to be related to CORS, but I am not sure how to get this right.

When I do the POST, it seems like the method is changed to OPTIONS, and that is forbidden by the receiver.


jquery.min.js:4 OPTIONS 403 (Forbidden)


Failed to load Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '' is therefore not allowed access. The response had HTTP status code 403.


How can I solve this?

I know our domain has a bigIP system that translate official ip:port to internal IP:port. Could that be a problem related to this?

Posted by bronco on 27-Jun-2018 01:50

Goto (either in the conf director or in WEB-INF of your webapp) and locate `OECORSFilter.allowDomains=`. Set the correct domain there. This would probably be "".

Posted by goo on 27-Jun-2018 02:26

It is pure HTML/javascript, so eoablSecurity is not in play, and is our side, and is the security site who seems to reject us.

Posted by Ruben Dröge on 27-Jun-2018 02:41

Tutorial on using CORS (& jQuery):

Posted by on 27-Jun-2018 03:52

Some web page on their site ( make a request on your site and the response you send back doesn't have the necessary CORS headers or it doesn't white list their domain ( If you are in control of the response there you just need to send the appropriate headers back in that request so the client does not complain about CORS.

Marian Edu

Acorn IT 
+40 740 036 212

Posted by goo on 28-Jun-2018 09:30

After strugeling some hours now, I am still not Close to a solution. Is there anyone that could help geting me to understand this (or fix it) I will gladly pay the time it takes.

my latest attempt:, url, true);

       xhr.setRequestHeader('Authorization','Bearer ' + getURLparam('code') );  

//    xhr.setRequestHeader('Access-Control-Allow-Headers','Content-Type, Accept, X-Requested-With, Session');  

// xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');  


xhr.setRequestHeader('Access-Control-Allow-Methods','GET, POST, PATCH, PUT, DELETE, OPTIONS');

xhr.setRequestHeader('Access-Control-Allow-Headers','Origin, Content-Type, X-Auth-Token');

Still no GO.

//Geir Otto

Posted by goo on 29-Jun-2018 06:25

Anyone that could point me to a site where I could find some people for hire to fix this problem for me??

Posted by on 29-Jun-2018 07:28

You don't need to set the headers on the XMLHttpRequest when calling the external api service, you need to set the headers on your server that returns that web page where you make the XMLHttpRequest so your server tells the client browser it is allowed to make requests to other servers than the origin (your server).

Now, if that is a static page then you need to set the headers on the web server so this depends on what web server you use there... or if it's a dynamic page (asp, php, webspeed) you can set the headers as you build the page.

header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token');

Marian Edu

Acorn IT 
+40 740 036 212

Posted by goo on 29-Jun-2018 09:13


The client is loging in to This webserver is reached behind a proxy that probably does a porttranslation (if that has anything to do with this). The index.html sends a GET to with a respond_url that points to In test.html, I find code and status and then I need to do a new call to that contains a httpheader: "Bearer <auth...code>"  that is the code I get, this is sent using POST. Is it so that has to do something on their webserver to allow me communicating? As I understand, the errormessage I get is related to the preposting that ajax does regard to CORS. I have a webspeed avail, would it be easier to use that for making the call?

Posted by on 29-Jun-2018 10:34

I see, so they aren't calling back using xmlhttprequest... it's only you that make calls to them that way, the first one using GET works and you get them to somehow callback to your test.html page. The problem seems to occur when you make a xmlhttprequest from that test.html page back to their server right? How do you receive the authorisation token and how do you send that back, any reason for you to use POST instead of GET?

What if you use some webspeed page instead of the static one and see what they send back, maybe you can make the post request from the server side instead of using xmlhttprequest. If you look at the network tab in the browser javascript console what is the sequence of requests/redirects that you see? Particularly check the headers sent in first GET response to their server, there should be some CORS related headers.

Looks like some oauth authentication but I can't get much info from their web site but looks like some eGovernment site. Usually the way it works is if someone lands on you server and you need to do some authorisation then you redirect them to the auth server ( with your application/client identifiers, they do the login and if all good redirects the user back to your redirect URL and send you some token in the request. Then you can use that token in subsequent requests to services. Is that something you're trying to implement or is some other flow that you use?
Marian Edu

Acorn IT 
+40 740 036 212

This thread is closed