Hi,

I try to integrate a Spring-Boot REST API project with Salesforce REST API.
My webapp API is running, and use OAuth with Spring-security to manage authentication with Salesforce OAuth2.
Everything is OK if i'am using the API from a browser. I open my Rest API URL, and i can see the call, somes redirect to be authenticated by Salesforce, and finally the result (and i'am logged).
(BTW the final token/json by Salesforce is not cool. The id is a URL, and there is not user_id in the JSON)

But ! my current issue :)

I create a page in my Saleforce with just a button and a jquery/ajax call to my webapp API. During this call my security framework will call Salesforce to authenticate my user. My target is this workflow:

Customer is logged in  my Salesforce -> Use Page which needs some informations from my Business API (not in Salesforce) -> The page run some Jquery/Ajax -> Call the remote API -> The API call Salesforce to authenticate by Oauth2 the current User and be sure he has rights -> Salesforce response callback with token -> Spring-security authenticate the user and redirect to the first URL

I setup some Security in Salesforce. Setup some headers in my API, like Access-Control-Allow-Origin "https://cs15.salesforce.com".
Add a good certifates to be in https (Protocol TLS 1.2 / Key Exchange ECDHE_RSA / Cipher Suite AES_128_GCM).

But i still have this issue Origin 'null' is therefore not allowed:
Chrome console:

XMLHttpRequest cannot load https://cs15.salesforce.com/services/oauth2/authorize?client_id=3MVG9dPGzpc... Redirect from 'https://cs15.salesforce.com/services/oauth2/authorize?client_id=3MVG9dPGzpc...' to 'https://test.salesforce.com/setup/secur/RemoteAccessAuthorizationPage.apexp…FzD9ItsFG5OpKmwmLlfm4hXTFfPOb0gyn8wO5zm04o...' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

Details:

1) Call my API from Salesforce by Ajax : Redirect 302 to my security login
2) My security login ask for a token and Redirect 302 to https://cs15.salesforce.com
Request
Request URL:https://HIDE/salesforce/b2b/login
Request Method:GET
Status Code:302
Remote Address:HIDE:443

Response
Access-Control-Allow-Origin:https://cs15.salesforce.com
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Connection:Keep-Alive
Content-Length:0
Date:Thu, 24 Nov 2016 10:43:13 GMT
Expires:0
Keep-Alive:timeout=5, max=99
Location:https://cs15.salesforce.com/services/oauth2/authorize?client_id=3MVG9dPGzpc3kWydcitmO_I5XRa8IXTCnEGMfuYLqOUuSscVupHJc8HarX1d845LVyc4iK.QEg6pPEnCZ22IU&redirect_uri=MYURL&response_type=code&state=LF3p4x
Pragma:no-cache
Server:Apache/2.4.10 (Debian)
Set-Cookie:JSESSIONID=3B4CA5B5F6C42F348E8A61898F337D3C;path=/;HttpOnly
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block

3) https://cs15.salesforce.com Redirect 302 to https://test.salesforce.com

Request
Accept application/json, text/javascript, */*; q=0.01
Accept-Encoding gzip, deflate, br
Accept-Language fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Host cs15.salesforce.com
Origin null
Referer https://cs15.salesforce.com/apex/testApi
User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0

Response
Cache-Control no-cache, no-store
Content-Length 0
Date Thu, 24 Nov 2016 10:52:19 GMT
Expires Thu, 01 Jan 1970 00:00:00 GMT
Location https://test.salesforce.com/setup/secur/RemoteAccessAuthorizationPage.apexp?source=CAAAAViWZNJKME8wZ
TAwMDAwMDAwMDA0AAAAzOaTCIh6kJYyjZj-e02lxwTTdQXXTUcJzlJ4DzXgdegh0m6sHlq04HfEocp_pFosaq20irC6TTb0L7X_w
sAbV1Un9i6WtsM9HM6yKCS0qWItemCmqQmZPSoSpIo7xemytzeWh-V2-YJBDiKxrm-abjX4m5jqYoxzNZaKIUM7Qm_J47PpnR2xt
q5zuWm_dqz33T415yoDBX4469TCUmBBXowwftFf6CqfjMzhg4810tF-GykYjdeDOuL4ftlW8cu3MOfFLA4tOG8mrDhENy_CXY101
Cl-Gu6TbrsimdkE_0sCgknaAMN6IP4kkwua26HPJPSYgop-sxc5Lhul24fEc1rTOBcOHLQdyOrQdwNZ5KCpYcRxZK2tr1HvgSC6L
sSPhiS9qpTLyl-weNr6-EB1qpR3Z7dILyF7hwyxWQpkj0i0pZ3Q2bQiCgzclnyR8bVWn831UVGNvgXWKxXli5PA6IlJdQCuXyoa1
psQ1r-6G1N7AvrBOn2rgqxKcHXtS8LmDEvI9BZ2HsEFCzYoj4wGLkNxZR-5dargDWZpSYz4XAzG
Pragma no-cache
Set-Cookie BrowserId=nmJ-c8qHSMuDXNkHXWMuUg;Path=/;Domain=.salesforce.com;Expires=Mon, 23-Jan-2017 10:52:19 GMT
disco=;Version=1;Path=/;Domain=.salesforce.com;Expires=Thu, 01-Jan-1970 00:00:00 GMT;Max-Age=0;Secure


The error message is clear and true, Origin header attribute is null, but it is Salesforce who set it. Why?
Is it a Salesforce issue? configuration? Headers? Security?
The first call has a good Origin.

Right?

Thank you for your feedback.

Denis