Client credentials grant flow API, CORS issue

Mohamed_Lotfi · October 27, 2022, 8:08pm

I believe this issue has been discussed several times, but I cannot find the solution to my problem. I am using vue js and trying to get access token using the following post request:

let params ={
          client_id : this.twitchClientId,
          client_secret : this.twitchClientSecret,
          grant_type : "client_credentials"
        };

      axios.post('https://id.twitch.tv/oauth2/token', params, {
         headers: {
           Accept: 'application/vnd.twitchtv.v5+json'
         }
      }).then(async res =>{
      console.log("Token generated => " + res.data.access_token);
      this.twitchAccessToken = res.data.access_token;

        }).catch(err => {
        console.log("Twitch token err =>");
        console.log(err);
       });

This is the error I get:

Access to XMLHttpRequest at 'https://id.twitch.tv/oauth2/token' from origin 'http://localhost:8080' has been blocked by CORS policy: Request header field client-id is not allowed by Access-Control-Allow-Headers in preflight response.

How can I tackle this issue? Thanks in advance.

Dist · October 27, 2022, 8:18pm

Are you trying to do this all client-side? because you should not be using the Client Credentials flow client-side (eg, within a web page).

Mohamed_Lotfi · October 27, 2022, 8:23pm

Yes. all from client side. Are you suggesting that I should get the token from the serve instead?

Dist · October 27, 2022, 8:45pm

Client Credentials (ie, App tokens) should only ever be used server-side or otherwise you’re exposing the client secret in the page.

If you want to get a token client-side you should use the Implicit flow https://dev.twitch.tv/docs/authentication/getting-tokens-oauth#implicit-grant-flow

Mohamed_Lotfi · October 27, 2022, 8:58pm

The only problem with that is that I do not want the users to do anything. I just need the token to call the helix API: https://api.twitch.tv/helix/search/channels

Please let me know if there is another way to do that without using the Implicit flow.

Dist · October 27, 2022, 9:19pm

The only other way would be to make the requests on your server rather than client-side.

system · November 26, 2022, 9:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.