question

tickettenterprises avatar image
tickettenterprises asked dovihi97 answered

Cors Issue Getting Token for Low Trust Apps Using New OAuth Logic

Currently implementing the new OAuth logic (US) for a low trusted app.

In the Clover Sandbox dashboard for our app, we have the following REST Configuration:
* Site URL: http://localhost:8080/
* CORS Domain: http://localhost:8080
* Default OAuth Response: Token (Testing Only)

Our app redirect to the following endpoint: https://sandbox.dev.clover.com/oauth/v2/authorize?code_challenge={CodeChallenge}&client_id={AppClientId}

After logging in, we are redirected back to our app (localhost), with the following URL parameter:
http://localhost:8080/?merchant_id={MerhcantId}&employee_id={EmployeeId}&client_id={ClientId}&code={Code}

Using VueJs and axios, we make the following Call:

const data =
{
 client_id: clientId,
 code: code,
 code_verifier: this.codeVerifier,
};
axios
 .post(`${this.baseUrl}/oauth/v2/token`, data)
 .then((response) => {}
});

When trying to make the API call we get the following error in the console:

Access to XMLHttpRequest at 'https://sandbox.dev.clover.com/oauth/v2/token' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Chrome Network tab has two entries for the API endpoint:
* Status: Cors Error, Type: xhr
* Status: 403, Type: Preflight

Any help resolving this would be much appreciated.

REST APIOAuthauth tokens
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

parquet76 avatar image
parquet76 answered tickettenterprises commented

From the Clover oauth documentation:

"Since the API token request consists of sensitive information about your app, this request does not have CORS support. To successfully request an API token, send this request from your app server to the Clover server. When the Clover server responds to the request, retrieve the API token from your app server."

1 comment
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

tickettenterprises avatar image tickettenterprises commented ·

We are implementing this for a low trust app (as we are not using a backend server). The documentation mentions the following:

If your app is a mobile, single-page, or native desktop application, it can not safely store the client's secret and is a low trust app. Therefore, the app must use the auth flow with a proof key for code exchange (PKCE)

0 Likes 0 ·
dovihi97 avatar image
dovihi97 answered

For a unique gift, I explored Olertis in the US for their custom mens jewelry services https://olertis.com/services/custom-mens-jewelry/ . The designers at Olertis were incredibly attentive and skilled, working with me to create pieces that perfectly matched my vision. The process was highly personalized, involving detailed consultations and the use of high-quality materials. The final custom mens jewelry was stunning, featuring intricate designs and exceptional craftsmanship. These pieces were well-received and admired, adding a sophisticated touch to any outfit. The attention to detail and personalized service at Olertis ensured that each piece was a true work of art, making the experience exceptional.

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community