Cors error when accessing EBAY User Consent API

Question

I am attempting to follow this EBAY User Consent API article https://developer.ebay.com/api-docs/static/oauth-consent-request.html but I am getting a CORS error "blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."

I've read numerous Cors posts here this one being a good one: XMLHttpRequest cannot load XXX No 'Access-Control-Allow-Origin' header but none of these solutions seem to work.

a pointer in the right direction would be great.

        $(document).on('click','.ebay_access', async function(event) {

            let scopes = encodeURIComponent("https://api.ebay.com/oauth/api_scope https://api.ebay.com/oauth/api_scope/sell.marketing.readonly https://api.ebay.com/oauth/api_scope/sell.marketing https://api.ebay.com/oauth/api_scope/sell.inventory.readonly https://api.ebay.com/oauth/api_scope/sell.inventory https://api.ebay.com/oauth/api_scope/sell.account.readonly https://api.ebay.com/oauth/api_scope/sell.account https://api.ebay.com/oauth/api_scope/sell.fulfillment.readonly https://api.ebay.com/oauth/api_scope/sell.fulfillment https://api.ebay.com/oauth/api_scope/sell.analytics.readonly https://api.ebay.com/oauth/api_scope/sell.finances https://api.ebay.com/oauth/api_scope/sell.payment.dispute https://api.ebay.com/oauth/api_scope/commerce.identity.readonly https://api.ebay.com/oauth/api_scope/commerce.notification.subscription https://api.ebay.com/oauth/api_scope/commerce.notification.subscription.readonly");
            let clientId = "{{env('EBAY_APIKEY')}}";
            let clientSecret = "{{env('EBAY_API_CERT_NAME')}}";
            let oAuthCredentials64 = btoa(clientId + ":" + clientSecret);
            let endpoint = 'https://api.ebay.com/identity/v1/oauth2/token';

            try{
                let response = await fetch(endpoint,
                    {
                        method: "POST",
                        headers:
                            {
                                "Content-Type": "application/x-www-form-urlencoded",
                                "Authorization": `Basic ${oAuthCredentials64}`
                            },
                        body:
                            "grant_type=client_credentials&scope=" + scopes
                    }

                );
                let responseJson = await response.json();
                console.log("CLIENT ACCESS TOKEN", responseJson);

            } catch(err){
                console.log("error: ", err);
            };

        }); //end function

CORS errors are server side. If you want to run that code in a browser you need to ask ebay to add your domain. — possum, Dec 09 '22 at 20:44
it appears from eBays article that they intend for the code to be run client-side given the user consent page that is displayed. If this is the case, how would you make the call? — scottsuhy, Dec 09 '22 at 20:55
If it's intended to be run client-side with your domain in the browser you wouldn't be getting CORS errors. Either you're doing something not intended or something is misconfigured on their side. — possum, Dec 09 '22 at 20:57
i just did a quick search of github and there are several implementations client side. here is one: https://github.com/AustinNolfi/mike_Spinelli_eBay_app/blob/main/src/js/authent.js could this be due to making the calls from localhost? — scottsuhy, Dec 09 '22 at 21:04
Why don't you look at the CORS headers and see what it's telling you is allowed? — possum, Dec 09 '22 at 21:09
here is the preflight https://imgur.com/Ps1zF9s what does "allow: OPTIONS,POST" mean? — scottsuhy, Dec 09 '22 at 21:25

score 1 · Answer 1 · answered Dec 28 '22 at 22:53

There are multiple issues here.

In general, if the URL - domain on your browser is not same as the ajax call browser is making then you get this error.
Seems that you have copied the code which was meant for server side execution. You should NEVER expose your credentials to client side. Anyone can use your steal your credentials.
The github link you provided as reference is for server side nodejs application which is running as an app and not under browser.

Heiko Theißen · Accepted Answer · 2022-12-29T09:17:35.873

The request you are making seems to be an authentication request, or "consent request", as eBay call it. This must be made to the authorization endpoint (probably https://api.ebay.com/identity/v1/oauth2/authorize). But you make it to the token endpoint (https://api.ebay.com/identity/v1/oauth2/token), as if it were a token request. But the token request is only the second step ("Exchanging the authorization code for a User access token").

Moreover, neither the authentication request nor the token request are CORS requests:

The authentication request must happen in a visible browsing context, as explained here. The user can only consent if they see what is going on.
The token request is not made by the browser, because this would expose the secret (as pointed out in Jags's answer). It must be made by your server.

In other words: No CORS should be involved at all. The eBay API article explains this correctly.

Cors error when accessing EBAY User Consent API

2 Answers2