Pre-flight OPTIONS request in AugularJS not passing authorization header

Question

I have look at many similar issue on stack overflow & google but no suggested solutions has work for me yet.

Here's the situation:

I'm trying to connect to a private api by using the following request:

POST https://api.domain.com/oauth/token

I need to pass an Authorization & Content-Type headers as well.

Problem is that the pre-flight OPTIONS request doesn't show those two headers, which made the api return me a 401 error.

This has been tested in Firefox & Chrome.

If I try to use HTTP instead of HTTPS, it get automatically redirected to HTTPS.

What's weird with that is that the exact same route in Postman work. Postman add the Authorization header in the OPTIONS request so the problem is not on server side.

How can I make sure that Angular $http add the Authorization header just like Postman do?

Thanks

Answer 1

I've been banging on my head with this same issue, but finally got it resolved.

You can't control the browser preflight OPTIONS request, so I would not go down the path of trying to have the browser add it. CORS preflight OPTIONS request should not be authenticated, the server should of just return 200 OK without requiring the Authorization & Content-Type.

In your backend application, make sure that the security configuration allow OPTIONS request to go through. In my case, it is a Java app, so this configuration is in web.xml. Finally in my backend code, I respond with 200 if I see the OPTIONS method, below is an example with Java and Jersey REST

public class CORSRequestFilter implements ContainerRequestFilter{


@Override
public ContainerRequest filter(ContainerRequest request) {

    if (request.getMethod().equals( "OPTIONS" ) ) {

        ResponseBuilder sb = Response.status(Response.Status.OK);

        throw new WebApplicationException(sb.build());
    }


    return request;
}   

}