Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.

OAuth 2.0 policy is not verifying the access token when CORS issue occur from the browser to access the apigee api

https://community.apigee.com/questions/3138/cors-policy-in-my-api-proxy-when-using-oauth-20.html

As I came across Above thread can someone please help me to solve the issue I am facing right now, if the apigee API is call from web this generates the CROS issue which is handled in Proxy as told by @Barahalikar Siddharth

My requirement is that I need to pass the Token in from of Header not on query parameter which apigee is accepting right now. If I pass through the access_token in Header its fails and gives 500 server error.

Since the browser generates the CROS issue and OptionPreFlight request doesn't validate this API request. And If I pass the same access_token in query parameter then this gives me success 200OK. @Dino @Anil Sagar @kbouwmeester @Maruti Chand @Zhongli Wu @JennyB can you guide me to solve this problem would be really helpful.

Solved Solved
0 11 5,828
1 ACCEPTED SOLUTION

Hi Mohsin,

Seems like when the preflight OPTIONS HTTP verb call is invoked by the trusted agent, the OAuthV2 policy is being invoked on Apigee. That shows that the conditional to CORS policy is not in effect.

In other words OAuthV2 policy should not be invoked for OPTIONS (preflight) calls. This can be done with a conditional like this:

<Condition>request.verb == "OPTIONS" AND request.header.origin != null AND request.header.origin != null AND request.header.Access-Control-Request-Method != null</Condition>

Refer the https://docs.apigee.com/api-services/content/adding-cors-support-api-proxy for more details:

Hope that solves it.

Thanks

Naseer

View solution in original post

11 REPLIES 11
Top Solution Authors