SSO Implementation JS -> 404

EVE Technology and Research Center Third Party Developers
1

Hi there,

I am currently looking at the SSO Implementation and I am stuck at a point, where I get the following error:

Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin

After reading and googling, I turned CURL off in my browser, which lead to the following error:

Response for preflight has invalid HTTP status code 404

I read through all the posts and stuff, but I do not realize, what is wrong here. Here is my JS:

state = getURLParameter('state');
code = getURLParameter('code');

clid = "clientid"; //off course these are set to my apps values
secr = "secret";

url = "https://login.eveonline.com/oauth/token";

var method = "POST";
var pcode = btoa(clid+":"+secr);
var heada = "Basic " + pcode;

var postData =
{
“grant_type”:“authorization_code”,
“code”:code
}

var async = true;
var request = new XMLHttpRequest();

Request.onload = function () {
  var status = request.status; 
  var data = request.responseText; 
}

request.open(method, url, async);
request.setRequestHeader("Authorization", heada);
request.setRequestHeader("Content-Type", "application/json");
request.setRequestHeader("Cache-Control","no-cache");
request.send(postData);

Anyone got any idea?

Many thanks in advance!

2

https://www.fuzzwork.co.uk/market/viewer2/

Try an implicit version, rather than the route you’re taking at the moment. for one, it means you’re not exposing your secret, which is somewhat iffy.

Downside: no refresh token.

3

Thanks Steve,

I looked at your code, but it has so many other functions, so I honestly did not get it :wink:

So maybe if you post the relevant stuff with an explanantion would ne great…

Oh and by the way love your stuff, use it daily :wink:

4

view-source:https://www.fuzzwork.co.uk/market/viewer2/marketExplorer.js

extractFromHash function

the other key bit is:

window.location = “https://login.eveonline.com/oauth/authorize/” +
"?response_type=token" +
"&client_id=" + clientId +
"&scope=" + scopes +
"&redirect_uri=" + redirectUri +
"&state=" + csrfToken;

the response_type=token means that the token is returned as part of the url.

5

Hi again,

thanks a lot, I will try it to understand it :stuck_out_tongue_winking_eye:

Cheers,

Tanaka

6

Hey Steve,

works with your code. (as expected) Still I would love to get the other one working, so if anybody has an idea ?

Kind regards,

Tanaka

7

Can you post your code as a gist on Github and I’ll give you feedback, cheers.

8

Thank you,

Code is upwards in the original post…

9

Fine, don’t take my help then… GIST is better because i can reply with proper formatted code in the GIST comments, anyway whatever…

10

Hahahaha,

once I try to get a charcter ID I get the same problem again also with the explicit method. I even completely copied your method, so it gets the same parameters, nothing.

I ddo not think they really want us to use this :wink:

Any ideas ?

11

Well it definitely seems to be a CORS issue. I wonder how I can get around it, cause in the CORS definition it says the server needs to have a setting like

Access-Control-Allow-Origin: http://mydomain.com

I doubt, CCP will do this for everyone, so the concept behind this should be something else, which I am still missing, which for sure is my fault. I will completely redo the code and post again if it fails.

Inbetween, if there is someone who REALLY knows, I’ll pay 250M ISK for a working, commented and readable solution, just login using EVE SSO, get a token, get a character ID and retrieve something from the character.

Cheers,

Tanaka

12

This might be a bug? ESI endpoints should have Access-Control-Allow-Origin: *. Or at least pretty much all the ones i saw. However, im not sure if the SSO login URL should be included in that.

However this is an SSO issue so you’d have to talk to the mystical SSO team.

13

Wherever they are… Can I post a ticket to them anywhere?

Cheers,

Tanaka

14

Ok, after reading everything, I do not think this works correctly. So if there is anyone who actally managed to get a character ID within a browser session (not only a token token is easy using implicit) please let me know.

And it would be nice if CCP would get someone in just to make it clear. Is the Allow-Access-Origins header set or not?

I am still offering 250M ISK for a working solution using a webpage and js.

TYVM,

Tanaka

15

There’s a verify endpoint for ESI which works just fine.

and: https://evemail.fuzzwork.co.uk

You need the character ID to be able to get someone’s mails :smiley:

17

Just to be clear: when I say ‘someone’s mails’, I mean the owner of the account who authed :wink:

18

Hello Steve,

it finally works, but I think for no reason. I did a GET request using $,ajax, while you are doing a $.jsonGET, which in my opinion in this case are the same. Doing getJSON worked for me, so I will not bother finding out the difference :wink:

I sent you 250 M ISK (Proof: https://i.imgur.com/HxDdBRJ.png) , as you provided a working solution and I am keeping my promise. Thanks again and you have my next CSM vote again!

Fly safe!

19

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.