What credentials are sent when an XHR specifies withCredentials?Using Google experimental implementation of OAuth 2.0 to access existing API endpointsWhat is the purpose of the implicit grant authorization type in OAuth 2?How to start with OAuth Client Credentials to protect WebApi using OWIN Oauth?How to get an oauth 2 access token from Instagram without logging in (implicit flow)?PHP Curl - headers not persisting across redirect403 Response From Adobe Experience Manager OAuth 2 Token EndpointNot getting refresh token in youtube OAuthOAuth: how to get authenticated user info after access token?Why aren't OAuth2 access tokens stored as HttpOnly secure cookies? How would that work in a Node.js application?Cannot authorize me using OAuth 1.0a, failing when requesting an accesToken
Why isn't there any 9.5 digit multimeter or higher?
Increasing labelling size in a ListPointPlot3D
How can Paypal know my card is being used in another account?
Composing fill in the blanks
Why did Windows 95 crash the whole system but newer Windows only crashed programs?
Why does the Eurostar not show youth pricing?
Why is it considered acid rain with pH <5.6?
Can you place a support header in the ceiling?
What steps would an amateur scientist have to take in order to get a scientific breakthrough published?
Name These Animals
Z80B starts and stops?
Must a song using the A minor scale begin or end with an Am chord? If not, how can I tell what the scale is?
When I cite content from a book, should I say "section 2.3.2.1 of book... " or "section 2.3.2.1 of `the` book ..."?
Received the truth in the love of it
Compound Word Neologism
Why would anyone ever invest in a cash-only etf?
Copying an existing HTML page and use it, is that against any copyright law?
Assuring luggage isn't lost with short layover
Is it okay for me to decline a project on ethical grounds?
Why did I lose on time with 3 pawns vs Knight. Shouldn't it be a draw?
Why is the number of local variables used in a Java bytecode method not the most economical?
World of (nearly) identical snowflakes
How likely is fragmentation on a table with 40000 products likely to affect performance
What do I do with a party that is much stronger than their level?
What credentials are sent when an XHR specifies withCredentials?
Using Google experimental implementation of OAuth 2.0 to access existing API endpointsWhat is the purpose of the implicit grant authorization type in OAuth 2?How to start with OAuth Client Credentials to protect WebApi using OWIN Oauth?How to get an oauth 2 access token from Instagram without logging in (implicit flow)?PHP Curl - headers not persisting across redirect403 Response From Adobe Experience Manager OAuth 2 Token EndpointNot getting refresh token in youtube OAuthOAuth: how to get authenticated user info after access token?Why aren't OAuth2 access tokens stored as HttpOnly secure cookies? How would that work in a Node.js application?Cannot authorize me using OAuth 1.0a, failing when requesting an accesToken
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I have an OAuth client that is retrieving an access token successfully.
However, when I send out an XHR, I still need to manually construct the Authorization header, despite specifying withCredentials:true.
I'm assuming that typically the OAuth client would write the credentials somewhere where the browser can access and use them on subsequent requests and perhaps it's not doing that. If that is true, what could I be missing here? Can someone point to some sample code in an OAuth client that is responsible for storing the token in a manner that is accessible to the browser using withCredentials?
oauth
asked Mar 26 at 19:33
DandanDandan
1948 bronze badges
add a comment |
I have an OAuth client that is retrieving an access token successfully.
However, when I send out an XHR, I still need to manually construct the Authorization header, despite specifying withCredentials:true.
I'm assuming that typically the OAuth client would write the credentials somewhere where the browser can access and use them on subsequent requests and perhaps it's not doing that. If that is true, what could I be missing here? Can someone point to some sample code in an OAuth client that is responsible for storing the token in a manner that is accessible to the browser using withCredentials?
oauth
asked Mar 26 at 19:33
DandanDandan
1948 bronze badges
add a comment |
I have an OAuth client that is retrieving an access token successfully.
However, when I send out an XHR, I still need to manually construct the Authorization header, despite specifying withCredentials:true.
I'm assuming that typically the OAuth client would write the credentials somewhere where the browser can access and use them on subsequent requests and perhaps it's not doing that. If that is true, what could I be missing here? Can someone point to some sample code in an OAuth client that is responsible for storing the token in a manner that is accessible to the browser using withCredentials?
oauth
asked Mar 26 at 19:33
DandanDandan
1948 bronze badges
I have an OAuth client that is retrieving an access token successfully.
However, when I send out an XHR, I still need to manually construct the Authorization header, despite specifying withCredentials:true.
I'm assuming that typically the OAuth client would write the credentials somewhere where the browser can access and use them on subsequent requests and perhaps it's not doing that. If that is true, what could I be missing here? Can someone point to some sample code in an OAuth client that is responsible for storing the token in a manner that is accessible to the browser using withCredentials?
oauth
oauth
asked Mar 26 at 19:33
DandanDandan
1948 bronze badges
asked Mar 26 at 19:33
DandanDandan
1948 bronze badges
asked Mar 26 at 19:33
DandanDandan
1948 bronze badges
asked Mar 26 at 19:33
DandanDandan
1948 bronze badges
asked Mar 26 at 19:33
DandanDandan
1948 bronze badges
1948 bronze badges
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
No, this is not true.
Unfortunately, Browser support HTTP authentication hasn't really progressed since 1997, and we're still manually adding Authorization headers, can't access OAuth2 protected endpoints directly with a browser or have a way to log out from the browser chrome.
You need to add the header yourself.
What withCredentials does control is automatically sending Authorization headers for places you are already logged in, but only for Basic and Digest auth, and it can also control sending cookies automatically or not.
Plug, but on-topic: I wrote a fetch() wrapper that can add the header transparently: fetch-mw-oauth2. If you don't like the project, you can still check it out for sample code.
answered Mar 26 at 19:50
EvertEvert
44.4k15 gold badges73 silver badges131 bronze badges
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55364991%2fwhat-credentials-are-sent-when-an-xhr-specifies-withcredentials%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
No, this is not true.
Unfortunately, Browser support HTTP authentication hasn't really progressed since 1997, and we're still manually adding Authorization headers, can't access OAuth2 protected endpoints directly with a browser or have a way to log out from the browser chrome.
You need to add the header yourself.
What withCredentials does control is automatically sending Authorization headers for places you are already logged in, but only for Basic and Digest auth, and it can also control sending cookies automatically or not.
Plug, but on-topic: I wrote a fetch() wrapper that can add the header transparently: fetch-mw-oauth2. If you don't like the project, you can still check it out for sample code.
answered Mar 26 at 19:50
EvertEvert
44.4k15 gold badges73 silver badges131 bronze badges
add a comment |
No, this is not true.
Unfortunately, Browser support HTTP authentication hasn't really progressed since 1997, and we're still manually adding Authorization headers, can't access OAuth2 protected endpoints directly with a browser or have a way to log out from the browser chrome.
You need to add the header yourself.
What withCredentials does control is automatically sending Authorization headers for places you are already logged in, but only for Basic and Digest auth, and it can also control sending cookies automatically or not.
Plug, but on-topic: I wrote a fetch() wrapper that can add the header transparently: fetch-mw-oauth2. If you don't like the project, you can still check it out for sample code.
answered Mar 26 at 19:50
EvertEvert
44.4k15 gold badges73 silver badges131 bronze badges
add a comment |
No, this is not true.
Unfortunately, Browser support HTTP authentication hasn't really progressed since 1997, and we're still manually adding Authorization headers, can't access OAuth2 protected endpoints directly with a browser or have a way to log out from the browser chrome.
You need to add the header yourself.
What withCredentials does control is automatically sending Authorization headers for places you are already logged in, but only for Basic and Digest auth, and it can also control sending cookies automatically or not.
Plug, but on-topic: I wrote a fetch() wrapper that can add the header transparently: fetch-mw-oauth2. If you don't like the project, you can still check it out for sample code.
answered Mar 26 at 19:50
EvertEvert
44.4k15 gold badges73 silver badges131 bronze badges
No, this is not true.
Unfortunately, Browser support HTTP authentication hasn't really progressed since 1997, and we're still manually adding Authorization headers, can't access OAuth2 protected endpoints directly with a browser or have a way to log out from the browser chrome.
You need to add the header yourself.
What withCredentials does control is automatically sending Authorization headers for places you are already logged in, but only for Basic and Digest auth, and it can also control sending cookies automatically or not.
Plug, but on-topic: I wrote a fetch() wrapper that can add the header transparently: fetch-mw-oauth2. If you don't like the project, you can still check it out for sample code.
answered Mar 26 at 19:50
EvertEvert
44.4k15 gold badges73 silver badges131 bronze badges
answered Mar 26 at 19:50
EvertEvert
44.4k15 gold badges73 silver badges131 bronze badges
answered Mar 26 at 19:50
EvertEvert
44.4k15 gold badges73 silver badges131 bronze badges
answered Mar 26 at 19:50
EvertEvert
44.4k15 gold badges73 silver badges131 bronze badges
44.4k15 gold badges73 silver badges131 bronze badges
add a comment |
add a comment |
Got a question that you can’t ask on public Stack Overflow? Learn more about sharing private information with Stack Overflow for Teams.
Got a question that you can’t ask on public Stack Overflow? Learn more about sharing private information with Stack Overflow for Teams.
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55364991%2fwhat-credentials-are-sent-when-an-xhr-specifies-withcredentials%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
