OAuth - Response for preflight is invalid?

I’m currently writing something React & Node, and I can’t for the life of me get the token request to work. I have it working using Sails and Request, but I need to use Axios here. I’ve code the auth_code just find, but when I try and grab the access token, I get the following error:

XMLHttpRequest cannot load https://graph.api.smartthings.com/oauth/token. Response for preflight is invalid (redirect)

I’ve gone over the examples, as well as the node example by @schettj here: https://github.com/schettj/SmartThings/blob/master/stoauth.js

I am using Axios to make the request as per:

  let authData = {
    grant_type: 'authorization_code',
    code: code,
    client_id: this.state.client_id,
    client_secret: this.state.client_secret,
    redirect_uri: this.state.redirect_uri
    }

    axios.post(this.state.token_uri, authData)
    .then(function(response){
        console.log(response);
    })
    .catch(function(error){
      console.log(error);
    })

Code is the code returned and my redirect_uri is the same one I use when I make the initial request for the access code… The token_uri I am using is https://graph.api.smartthings.com/oauth/token
Any ideas?

EDIT: Looks like the content type needed to be passed with it as it’s not sent by default. Now I’m getting

XMLHttpRequest cannot load https://graph.api.smartthings.com/oauth/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.

Know I know there is nothing I can do about this there, so any suggestions?

Add this to your HTTP request headers:

'Access-Control-Allow-Origin': '*'

1 Like

Adding ‘Access-Control-Allow-Origin’: ‘*’ to the request header isn’t working for me. My understanding of CORS that header must be on the resource not the request.

How do we solve this?

I was stupidly trying to connect from the browser, not a server.

So how u solved this problem, i’m also having the same problem…

Need to provide more info, output from curl -v with your credentials etc removed would be useful. I had a similar problem with the new API where the web server fails to parse non-trivial Accept:-headers and also utterly fails to understand the CORS preflight concept. Gave up trying to get ST engineers to understand what they were doing wrong, so it’s still broken. Which basically means you have to use Chrome for browser-based access to that API as Firefox will fail when request needs preflight. I would not be surprised to learn that the web server for the old API behaves in much the same way. Postman is a good Chrome addon if you need to look at such traffic.

OK