Basically, I have a login form that, after authentication, starts the Oauth2 process. Which works flawlessly until a final redirect is received that receives access tokens. The input stream looks like this: POST to /user/login redirects to /user/oauth/auth , then redirects to Oauth redirect_uri /user/oauth/redirect . The redirect_uri error never occurs, and the request never hits the server.
If I hit this redirect using an Ajax request, cors works fine and I get the expected response, which seems to happen if I redirect twice.
The server displays these responses.
[I 130226 10:16:38 web:1462] 302 POST /user/login (192.168.1.5) 156.01ms (Session cookies set fine) [I 130226 10:16:38 web:1462] 200 OPTIONS /user/oauth/auth?scope=&client_id=DemoApp&response_type=code&redirect_uri=http://192.168.1.5:8443/user/oauth/redirect/code (192.168.1.5) 1.86ms 302 GET /user/oauth/auth?scope=&client_id=DemoApp&response_type=code&redirect_uri=http://192.168.1.5:8443/user/oauth/redirect/code (192.168.1.5) 8.58ms
The last URL never hits. In Chrome, IE, the FF stream is the same, except that the server sees the request
[I 130226 10:16:38 web:1462] 302 POST /user/login (192.168.1.5) 156.01ms [I 130226 10:16:38 web:1462] 200 OPTIONS /user/oauth/auth?scope=&client_id=DemoApp&response_type=code&redirect_uri=http://192.168.1.5:8443/user/oauth/redirect/code (192.168.1.5) 1.86ms 302 GET /user/oauth/auth?scope=&client_id=DemoApp&response_type=code&redirect_uri=http://192.168.1.5:8443/user/oauth/redirect/code (192.168.1.5) 8.58ms [I 130226 10:27:12 web:1462] 200 GET /user/oauth/redirect/code?code=57497058fbbf6003310ea22d3902ac67 (192.168.1.5) 0.54ms
In the web inspector, I see a request, but it dies like
I am using jQuery 1.9 and here is an ajax request (if I have every parameter under the sun here to try to get it to work.)
$.ajax({ type: "POST", url: reqUrl, data: data, dataType: "json", success: function(data, textStatus) { console.log(data); alert('logged in'); }, error: function(e){ console.log(e); }, complete: function(request, status) { console.log("headers=" + request.getAllResponseHeaders()); }, statusCode: { 200: function(data) { console.log('yup we got it.') } }, xhrFields: { withCredentials: true }, crossDomain: true, async:true });
JSONP is not an option, as the initial mail is sent via https and should be a POST request. Again, all other browsers, including IE, work very well, it launches a success response.
Safari runs status code 0 and an error, which is a classic source policy error, but uri redirection works in a standard ajax request, bypassing login. I doubt this is an access control problem because the call will work if Safari just launches it.
I'm sure it has something to do with the request headers when redirecting, and Safari stops the request. In the first successful 302 they look as follows
Access-Control-Request-Method: GET Origin: http://192.168.1.5:9090 Access-Control-Request-Headers: origin, accept-encoding, accept-language
But on uri redirection they look like this (which makes sense why it is not, because there are no access control headers, but why?)
Origin: http://192.168.1.5:9090 Accept-Encoding: gzip, deflate Accept-Language: en-us User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.17 (KHTML, like Gecko) Version/6.0.2 Safari/536.26.17 Accept: */* Referer: http://192.168.1.5:9090/login