- From: JP Sugarbroad <notifications@github.com>
- Date: Fri, 14 May 2021 13:35:56 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 14 May 2021 20:36:08 UTC
Here's the situation I'm in:
1. There is a CORS-enabled API.
2. The API uses SSO for auth.
3. Cross-origin requests are allowed to use ambient authority (SSO).
So what happens is that when a request comes in it can be redirected to the SSO provider to get a token. That's fine, but the SSO provider does not set CORS headers, so a `fetch(..., {credentials: 'include'})` request fails. Right now this is what I'm having to do:
```js
r = await fetch(api, {credentials: 'include', redirect: 'manual'})
if (r.type === 'opaqueredirect') {
await fetch(api, {credentials: 'include', mode: 'no-cors'})
r = await fetch(api, {credentials: 'include', redirect: 'manual'})
}
```
It's not great, since the browser ends up re-doing requests. Is there a better way to do this? Can there be one please?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1235
Received on Friday, 14 May 2021 20:36:08 UTC