SSO Implementation JS -> 404

(Tanaka Seiko) #1

Hi there,

I am currently looking at the SSO Implementation and I am stuck at a point, where I get the following error:

Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin

After reading and googling, I turned CURL off in my browser, which lead to the following error:

Response for preflight has invalid HTTP status code 404

I read through all the posts and stuff, but I do not realize, what is wrong here. Here is my JS:

state = getURLParameter('state');
code = getURLParameter('code');

clid = "clientid"; //off course these are set to my apps values
secr = "secret";

url = "";

var method = "POST";
var pcode = btoa(clid+":"+secr);
var heada = "Basic " + pcode;

var postData =

var async = true;
var request = new XMLHttpRequest();

Request.onload = function () {
  var status = request.status; 
  var data = request.responseText; 
}, url, async);
request.setRequestHeader("Authorization", heada);
request.setRequestHeader("Content-Type", "application/json");

Anyone got any idea?

Many thanks in advance!

(Steve Ronuken) #2

Try an implicit version, rather than the route you’re taking at the moment. for one, it means you’re not exposing your secret, which is somewhat iffy.

Downside: no refresh token.

(Tanaka Seiko) #3

Thanks Steve,

I looked at your code, but it has so many other functions, so I honestly did not get it :wink:

So maybe if you post the relevant stuff with an explanantion would ne great…

Oh and by the way love your stuff, use it daily :wink:

(Steve Ronuken) #4


extractFromHash function

the other key bit is:

window.location = “” +
"?response_type=token" +
"&client_id=" + clientId +
"&scope=" + scopes +
"&redirect_uri=" + redirectUri +
"&state=" + csrfToken;

the response_type=token means that the token is returned as part of the url.

(Tanaka Seiko) #5

Hi again,

thanks a lot, I will try it to understand it :stuck_out_tongue_winking_eye:



(Tanaka Seiko) #6

Hey Steve,

works with your code. (as expected) Still I would love to get the other one working, so if anybody has an idea ?

Kind regards,


(NickyYo) #7

Can you post your code as a gist on Github and I’ll give you feedback, cheers.

(Tanaka Seiko) #8

Thank you,

Code is upwards in the original post…

(NickyYo) #9

Fine, don’t take my help then… GIST is better because i can reply with proper formatted code in the GIST comments, anyway whatever…

(Tanaka Seiko) #10


once I try to get a charcter ID I get the same problem again also with the explicit method. I even completely copied your method, so it gets the same parameters, nothing.

I ddo not think they really want us to use this :wink:

Any ideas ?

(Tanaka Seiko) #11

Well it definitely seems to be a CORS issue. I wonder how I can get around it, cause in the CORS definition it says the server needs to have a setting like


I doubt, CCP will do this for everyone, so the concept behind this should be something else, which I am still missing, which for sure is my fault. I will completely redo the code and post again if it fails.

Inbetween, if there is someone who REALLY knows, I’ll pay 250M ISK for a working, commented and readable solution, just login using EVE SSO, get a token, get a character ID and retrieve something from the character.



(Blacksmoke16) #12

This might be a bug? ESI endpoints should have Access-Control-Allow-Origin: *. Or at least pretty much all the ones i saw. However, im not sure if the SSO login URL should be included in that.

However this is an SSO issue so you’d have to talk to the mystical SSO team.

(Tanaka Seiko) #13

Wherever they are… Can I post a ticket to them anywhere?



(Tanaka Seiko) #14

Ok, after reading everything, I do not think this works correctly. So if there is anyone who actally managed to get a character ID within a browser session (not only a token token is easy using implicit) please let me know.

And it would be nice if CCP would get someone in just to make it clear. Is the Allow-Access-Origins header set or not?

I am still offering 250M ISK for a working solution using a webpage and js.



(Steve Ronuken) #15

There’s a verify endpoint for ESI which works just fine.


You need the character ID to be able to get someone’s mails :smiley:

(Steve Ronuken) #17

Just to be clear: when I say ‘someone’s mails’, I mean the owner of the account who authed :wink:

(Tanaka Seiko) #18

Hello Steve,

it finally works, but I think for no reason. I did a GET request using $,ajax, while you are doing a $.jsonGET, which in my opinion in this case are the same. Doing getJSON worked for me, so I will not bother finding out the difference :wink:

I sent you 250 M ISK (Proof: , as you provided a working solution and I am keeping my promise. Thanks again and you have my next CSM vote again!

Fly safe!

(system) #19

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.