[Solved] Help with CORS requests

Help Requests
#1

Don’t know why, but my head just doesn’t want to grasp what you can and cannot do with CORS requests, using fetch API.

I know some of you are developers, so I ask for your help.

Can I set an access cookie in a CORS request like this?

Authenticate to Wolfery using CORS request
Authenticate to Wolfery using CORS request791×425 13.9 KB

I checked this StackOverflow question, but it didn’t make it clear to me.

I know I can solve it in these ways:

  1. Move auth.wolfery.com into the same domain as origin, (e.g. https://wolfery.com/auth)
  2. Instead of a CORS request, use a redirect, which then redirects back.

We are currently doing 1), so that is why it is working now. But to prepare for multi-realm support, I want the authentication server to be separated from the realm.

And I wish to avoid 2) because of vanity; it feels nicer/smoother if the webapp doesn’t bounce between sites. :sweat_smile:

So… Is it possible?

/Accipiter

#2

I’m not the best web developer, and I know very little about CORS other then how to enable it. But what if api.wolfery.com proxied the requests to auth.wolfery.com on behalf of the user (is that bad practice?) so that instead of moving auth to the same domain as the origin, it’s completely hidden from it behind the api layer.

And I know that while you’re wanting to avoid redirects, a lot of sites still do that. So while it wouldn’t be the most graceful, it’s a viable plan B for when auth needs to be seperated from the main domain.

#3

That would also be possible :thinking:.

But I just got it to work with CORS! :partying_face:

… after a lot of fiddling

The StackOverflow answer was correct and did apply to my use case. So the answer was:

Yes, you can set an access cookie from a CORS request to auth service, given that:

  • auth service responds with the correct Access-Control-* headers
  • auth service sets the cookie with SameSite=None, Secure, and Domain=wolfery.com
  • client uses credentials: "include" in the fetch call.
1 Like