[SalesForce] CORS error when calling SF rest api from localhost

I have a small JS application running on localhost. I am getting an access token through the user-agent flow (this works fine).

I then make an http request to the identity endpoint to get back my user info and this throws a CORS error.

Access to XMLHttpRequest at 'https://test.salesforce.com/services/data/v48.0' from origin 'https://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I have added localhost:3000 under the CORS whitelist in Salesforce but this doesn't do anything.

Best Answer

The Identity URL returned as part of an oauth response is not one of the endpoints that supports CORS whitelisting.

The Identity URL is returned in the id scope parameter. For example, https://login.salesforce.com/id/00Dx0000000BV7z/005x00000012Q9P.

Only the following APIs are supported per CORS whitelisting documentation.

Analytics REST API
Bulk API
Connect REST API
Salesforce IoT REST API
Lightning Out
REST API
User Interface API
Apex REST

Related Solutions

[SalesForce] Why is CORS (localhost) whitelist not working for authentication

It is very possible that localhost is the issue and you can only whitelist domains that are externally hosted. But I have no source to back up my assumption. I seem to recall trying this long before I had even heard of Salesforce and it still being a problem.

Something like this question. If you're not using Chrome, then it seems more likely to be a Salesforce issue.

[SalesForce] REST API OAuth2 CORS Issue

You need to redirect the browser to the login server. The process won't work with XMLHttpRequest/JavaScript, even if there was CORS, because it is inherently a browser-based flow. The correct order of operations for the OAuth2 Web Server flow is: redirect to Salesforce, user logs in and grants access, as necessary, Salesforce redirects back to your server, your server reads the "code" from the query string, and makes a request to the /token endpoint to finally receive an access token (and optional refresh token) that you will then use for future API calls.

Instead of trying to call the login page directly, just do this:

window.location = salesforceLoginUrl;

Your browser will then go to Salesforce to login, just as the anchor link did, and you can complete the process.

Best Answer

Related Solutions

[SalesForce] Why is CORS (localhost) whitelist not working for authentication

[SalesForce] REST API OAuth2 CORS Issue

Related Topic