function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Brian Cunningham 11Brian Cunningham 11 

Salesforce.com REST authentication CORS issue

I am doing some integration with the salesforce.com api but I have hit a roadblock.

Using some javascript I want to 1. Post a username/password to get authentication token EG: https://login.salesforce.com/services/oauth2/token?&client_id=XXX-XXX&client_secret=YYYYYY&grant_type=password&password=BLAHBLAHP&username=BLAH@BLAH.com 2. Use this token to make subsequest requests to the salesforce API.

When I make the above request it works fine as long as I disable the security of the browser or have an addon that add a 'Access-Control-Allow-Origin' value to the responsed header. In this case I get back a valid response from Salesforce.

The problem is that I get CORS error when I try this from my domain: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://{{myip}}' is therefore not allowed access.

Now I understand why this restriction is enforced by the browser however the Salesforce API has an option to add whitelisted domains. I would have thought that this would have allowed me to make this work but it does not. Even though I have added my domain to the white list, the authentication request always comes back with the abve error in the console of the browser (chrome).

My question is: I am deluded to think that the whitelisting should work in my scenario? Am I missing some configuration of the salesforce app? Do I have to follow a different authentication method in order for this to work?

Any guidance would be appreciated.

PS: I know that I can set up a proxy to avoid this but I specifically want to avoid this... at least if that is possible with my current setup
NagendraNagendra (Salesforce Developers) 
Hi Brian,

The Salesforce REST API doesn't yet support CORS on all request endpoints. So maybe you are using an endpoint that doesn't add the CORS headers? In the meantime, you can use a proxy: https://www.jamesward.com/2014/06/23/cross-origin-resource-sharing-cors-for-salesforce-com

I don't think the login methods support CORS. So you will need to use the User-Agent OAuth flow: developer.salesforce.com/docs/atlas.en-us.api_rest.meta/(https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_understanding_user_agent_oauth_flow.htm) And there is no way the browser will let you get the body of a cross-domain request without the CORS header. So if you want to do this from JavaScript in the browser, you will need the CORS headers.

Mark this as solved if it's resolved.

Regards,
Nagendra.P
IT User 44IT User 44
Hey, have there been any changes to the REST API user/pass authentication and CORS?  It's the end of 2018, and I'm running into the same issue.  Do I need to set up some sort of proxy to accomplish this?  ... I have https://localhost:port in my cors, etc... I'm able to generate a token using Postman with the request, but not able to do it using jquery/ajax from a web app  CORS errors in Chrome.  
Dave ChisholmDave Chisholm
I am having a real hard time understanding this issue.  Why write a REST API that where only part of it can be used from a browser????  
Dave ChisholmDave Chisholm
IT User 44.  Yes it is TWO YEARS later and this simple functionality is still missing.  What kind of company makes a REST API available that can't be used from a web browser? 
Arian Nemati 11Arian Nemati 11
@Nagendra I am using exactly the flow in https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_understanding_user_agent_oauth_flow.htm. I am initiating the flow from Javascript though, so I still see CORS errors in my browser console. I am unable to get the user to the Salesforce authorization page if I start the call via Javascript. What CORS headers do I need to insert exactly? I have tried all of the following:
headers["Access-Control-Allow-Origin"] = "*";
headers["crossOrigin"] = "true";
headers["Access-Control-Allow-Headers"] = "Origin, Content-Type, X-Auth-Token";
headers["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS";
headers["Origin"] = "https://<my_site_domain>.com";
Christopher ChristensenChristopher Christensen
I spun up the proxy suggested by James Ward and this fixed my issue. My question is has this since been fixed and I'm just missing the fix? Seems like a really hacky way to solve an issue that Salesforce has had 5+ years to solve.