[SOLVED] Cors error when accessing EBAY User Consent API

Cors error when accessing EBAY User Consent API

I am attempting to follow this EBAY User Consent API article https://developer.ebay.com/api-docs/static/oauth-consent-request.html but I am getting a CORS error "blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."

I've read numerous Cors posts here this one being a good one: XMLHttpRequest cannot load XXX No 'Access-Control-Allow-Origin' header but none of these solutions seem to work.

a pointer in the right direction would be great.

        $(document).on('click','.ebay_access', async function(event) {

            let scopes = encodeURIComponent("https://api.ebay.com/oauth/api_scope https://api.ebay.com/oauth/api_scope/sell.marketing.readonly https://api.ebay.com/oauth/api_scope/sell.marketing https://api.ebay.com/oauth/api_scope/sell.inventory.readonly https://api.ebay.com/oauth/api_scope/sell.inventory https://api.ebay.com/oauth/api_scope/sell.account.readonly https://api.ebay.com/oauth/api_scope/sell.account https://api.ebay.com/oauth/api_scope/sell.fulfillment.readonly https://api.ebay.com/oauth/api_scope/sell.fulfillment https://api.ebay.com/oauth/api_scope/sell.analytics.readonly https://api.ebay.com/oauth/api_scope/sell.finances https://api.ebay.com/oauth/api_scope/sell.payment.dispute https://api.ebay.com/oauth/api_scope/commerce.identity.readonly https://api.ebay.com/oauth/api_scope/commerce.notification.subscription https://api.ebay.com/oauth/api_scope/commerce.notification.subscription.readonly");
            let clientId = "{{env('EBAY_APIKEY')}}";
            let clientSecret = "{{env('EBAY_API_CERT_NAME')}}";
            let oAuthCredentials64 = btoa(clientId + ":" + clientSecret);
            let endpoint = 'https://api.ebay.com/identity/v1/oauth2/token';

            try{
                let response = await fetch(endpoint,
                    {
                        method: "POST",
                        headers:
                            {
                                "Content-Type": "application/x-www-form-urlencoded",
                                "Authorization": `Basic ${oAuthCredentials64}`
                            },
                        body:
                            "grant_type=client_credentials&scope=" + scopes
                    }

                );
                let responseJson = await response.json();
                console.log("CLIENT ACCESS TOKEN", responseJson);

            } catch(err){
                console.log("error: ", err);
            };

        }); //end function

Solution

The request you are making seems to be an authentication request, or "consent request", as eBay call it. This must be made to the authorization endpoint (probably https://api.ebay.com/identity/v1/oauth2/authorize). But you make it to the token endpoint (https://api.ebay.com/identity/v1/oauth2/token), as if it were a token request. But the token request is only the second step ("Exchanging the authorization code for a User access token").

Moreover, neither the authentication request nor the token request are CORS requests:

The authentication request must happen in a visible browsing context, as explained here. The user can only consent if they see what is going on.
The token request is not made by the browser, because this would expose the secret (as pointed out in Jags's answer). It must be made by your server.

In other words: No CORS should be involved at all. The eBay API article explains this correctly.