docs
docs copied to clipboard
github
The Authorizing OAuth Apps doesn't mention the access_token endpoint doesn't support CORS
Code of Conduct
- [X] I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps#2-users-are-redirected-back-to-your-site-by-github
What part(s) of the article would you like to see updated?
There should be a mention that CORS pre-flights are not supported on this endpoint (OPTIONS requests). This, and the fact that implicit flow is not supported, effectively means that authenticating from a SPA is impossible without a service relay. That's unless PKCE is supported, but there are no mentions of it. https://espressocoder.com/2019/10/28/secure-your-spa-with-authorization-code-flow-with-pkce/
Additional information
No response
Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.
![welcome[bot] avatar](https://avatars.githubusercontent.com/in/4141?v=4 "Published by a pub.dev verified publisher"){kind=small}
@baywet Thanks so much for opening an issue! I'll triage this for the team to take a look :eyes:
Thanks! For information after investigating the issue further I also established that PKCE isn't supported today. This should probably be detailed in the docs as well. I've added a "feature request" here which contains additional details.
Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert :eyes:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This is a gentle bump for the docs team that this issue is waiting for technical review.
This is a gentle bump for the docs team that this issue is waiting for technical review.
This is a gentle bump for the docs team that this issue is waiting for technical review.
This is a gentle bump for the docs team that this issue is waiting for technical review.
Cross-referencing https://github.com/github/docs/pull/24965 which is a PR to mention that PKCE is not supported.
@github/ecosystem-apps-reviewers could you review this from a technical perspective?
@skedwards88 just to clarify, are you asking for review of the cross-referenced PR? Or something else?
Thanks for asking @jamesmartin . Should we additionally need to document this part (below), or does https://github.com/github/docs/pull/24965 cover everything that this issue is asking for?
There should be a mention that CORS pre-flights are not supported on this endpoint (OPTIONS requests). This, and the fact that implicit flow is not supported, effectively means that authenticating from a SPA is impossible without a service relay.
Thanks for clarifying, @skedwards. I think #24965 only covers the additional discovery that PKCE is not supported. The fact that we block OPTIONS requests, and therefore CORS preflight requests don't work, could also be documented to help developers of SPAs that depend on this type of authorization code flow.
Thanks for providing more clarity. Documenting the feature gap is a first step in the right direction, but ultimately I'd like to see the gap addressed in the service. Before I make any documentation change, how can I request the feature formally?
Before I make any documentation change, how can I request the feature formally?
We're tracking this feature internally and the discussion here has already been helpful to bring fresh perspectives to the issue. We don't have anything to announce right now as far as roadmaps go, however.
@jamesmartin great! Thank you for helping prioritize this set of features! Here is an additional PR to document the CORS gap. #25563