skip to Main Content

I am attempting to follow this EBAY User Consent API article https://developer.ebay.com/api-docs/static/oauth-consent-request.html
but I am getting a CORS error "blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource."

I’ve read numerous Cors posts here this one being a good one: XMLHttpRequest cannot load XXX No 'Access-Control-Allow-Origin' header but none of these solutions seem to work.

a pointer in the right direction would be great.

        $(document).on('click','.ebay_access', async function(event) {

            let scopes = encodeURIComponent("https://api.ebay.com/oauth/api_scope https://api.ebay.com/oauth/api_scope/sell.marketing.readonly https://api.ebay.com/oauth/api_scope/sell.marketing https://api.ebay.com/oauth/api_scope/sell.inventory.readonly https://api.ebay.com/oauth/api_scope/sell.inventory https://api.ebay.com/oauth/api_scope/sell.account.readonly https://api.ebay.com/oauth/api_scope/sell.account https://api.ebay.com/oauth/api_scope/sell.fulfillment.readonly https://api.ebay.com/oauth/api_scope/sell.fulfillment https://api.ebay.com/oauth/api_scope/sell.analytics.readonly https://api.ebay.com/oauth/api_scope/sell.finances https://api.ebay.com/oauth/api_scope/sell.payment.dispute https://api.ebay.com/oauth/api_scope/commerce.identity.readonly https://api.ebay.com/oauth/api_scope/commerce.notification.subscription https://api.ebay.com/oauth/api_scope/commerce.notification.subscription.readonly");
            let clientId = "{{env('EBAY_APIKEY')}}";
            let clientSecret = "{{env('EBAY_API_CERT_NAME')}}";
            let oAuthCredentials64 = btoa(clientId + ":" + clientSecret);
            let endpoint = 'https://api.ebay.com/identity/v1/oauth2/token';

            try{
                let response = await fetch(endpoint,
                    {
                        method: "POST",
                        headers:
                            {
                                "Content-Type": "application/x-www-form-urlencoded",
                                "Authorization": `Basic ${oAuthCredentials64}`
                            },
                        body:
                            "grant_type=client_credentials&scope=" + scopes
                    }

                );
                let responseJson = await response.json();
                console.log("CLIENT ACCESS TOKEN", responseJson);

            } catch(err){
                console.log("error: ", err);
            };

        }); //end function

2

Answers


  1. There are multiple issues here.

    1. In general, if the URL – domain on your browser is not same as the ajax call browser is making then you get this error.
    2. Seems that you have copied the code which was meant for server side execution. You should NEVER expose your credentials to client side. Anyone can use your steal your credentials.
    3. The github link you provided as reference is for server side nodejs application which is running as an app and not under browser.
    Login or Signup to reply.
  2. The request you are making seems to be an authentication request, or "consent request", as eBay call it. This must be made to the authorization endpoint (probably https://api.ebay.com/identity/v1/oauth2/authorize). But you make it to the token endpoint (https://api.ebay.com/identity/v1/oauth2/token), as if it were a token request. But the token request is only the second step ("Exchanging the authorization code for a User access token").

    Moreover, neither the authentication request nor the token request are CORS requests:

    • The authentication request must happen in a visible browsing context, as explained here. The user can only consent if they see what is going on.
    • The token request is not made by the browser, because this would expose the secret (as pointed out in Jags’s answer). It must be made by your server.

    In other words: No CORS should be involved at all. The eBay API article explains this correctly.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search