You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Previously Hoppscotch would allow setting no client secret for OAuth2 authentication, which would then trigger the client credentials flow for providers such as Azure AD.
The recent 2023.8.4 release adds validation for the clientSecret that forces users to set it, which will trigger the authorization code flow.
However, authorization code cannot be used, because Hoppscotch's final token exchange happens on the client, where Azure AD has CORS headers that block the request as well as a check on the Origin header, throwing the following error with a 400 Bad Request:
AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. Request origin: 'https://hoppscotch.io'.
Steps to reproduce
Create a request to an authorized API with OAuth2.
Set authorization type to "OAuth 2.0".
Configure the authorization code flow by setting client secret / client credentials flow by removing it.
Click "Generate Token".
Environment
Production
Version
Cloud
The text was updated successfully, but these errors were encountered:
Is there an existing issue for this?
Current behavior
Previously Hoppscotch would allow setting no client secret for OAuth2 authentication, which would then trigger the client credentials flow for providers such as Azure AD.
The recent 2023.8.4 release adds validation for the
clientSecret
that forces users to set it, which will trigger the authorization code flow.However, authorization code cannot be used, because Hoppscotch's final token exchange happens on the client, where Azure AD has CORS headers that block the request as well as a check on the
Origin
header, throwing the following error with a 400 Bad Request:Steps to reproduce
Environment
Production
Version
Cloud
The text was updated successfully, but these errors were encountered: