javascriptcorsebay-api

Cors error when accessing EBAY User Consent API


I am attempting to follow this EBAY User Consent API article https://developer.ebay.com/api-docs/static/oauth-consent-request.html but I am getting a CORS error "blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."

I've read numerous Cors posts here this one being a good one: XMLHttpRequest cannot load XXX No 'Access-Control-Allow-Origin' header but none of these solutions seem to work.

a pointer in the right direction would be great.

        $(document).on('click','.ebay_access', async function(event) {

            let scopes = encodeURIComponent("https://api.ebay.com/oauth/api_scope https://api.ebay.com/oauth/api_scope/sell.marketing.readonly https://api.ebay.com/oauth/api_scope/sell.marketing https://api.ebay.com/oauth/api_scope/sell.inventory.readonly https://api.ebay.com/oauth/api_scope/sell.inventory https://api.ebay.com/oauth/api_scope/sell.account.readonly https://api.ebay.com/oauth/api_scope/sell.account https://api.ebay.com/oauth/api_scope/sell.fulfillment.readonly https://api.ebay.com/oauth/api_scope/sell.fulfillment https://api.ebay.com/oauth/api_scope/sell.analytics.readonly https://api.ebay.com/oauth/api_scope/sell.finances https://api.ebay.com/oauth/api_scope/sell.payment.dispute https://api.ebay.com/oauth/api_scope/commerce.identity.readonly https://api.ebay.com/oauth/api_scope/commerce.notification.subscription https://api.ebay.com/oauth/api_scope/commerce.notification.subscription.readonly");
            let clientId = "{{env('EBAY_APIKEY')}}";
            let clientSecret = "{{env('EBAY_API_CERT_NAME')}}";
            let oAuthCredentials64 = btoa(clientId + ":" + clientSecret);
            let endpoint = 'https://api.ebay.com/identity/v1/oauth2/token';

            try{
                let response = await fetch(endpoint,
                    {
                        method: "POST",
                        headers:
                            {
                                "Content-Type": "application/x-www-form-urlencoded",
                                "Authorization": `Basic ${oAuthCredentials64}`
                            },
                        body:
                            "grant_type=client_credentials&scope=" + scopes
                    }

                );
                let responseJson = await response.json();
                console.log("CLIENT ACCESS TOKEN", responseJson);

            } catch(err){
                console.log("error: ", err);
            };

        }); //end function

Solution

  • The request you are making seems to be an authentication request, or "consent request", as eBay call it. This must be made to the authorization endpoint (probably https://api.ebay.com/identity/v1/oauth2/authorize). But you make it to the token endpoint (https://api.ebay.com/identity/v1/oauth2/token), as if it were a token request. But the token request is only the second step ("Exchanging the authorization code for a User access token").

    Moreover, neither the authentication request nor the token request are CORS requests:

    In other words: No CORS should be involved at all. The eBay API article explains this correctly.