Token call in Authorization Code flow lack origin header

[BeChaRem]

Q&A

• OS: Windows
• Browser: Chrome
• Version: 81
• Method of installation: nuget via Swashbuckle 5.4.1
• Swagger-UI version: 3.25.0
• Swagger/OpenAPI version: Swagger 4.0, OpenAPI 3.0

Content & configuration

Default configuration.

Describe the bug you're encountering

Missing origin header in the request prevent the server from returning the access-control-allow-origin header in the response and Chrome block the response due to CORS.

To reproduce...

Steps to reproduce the behavior:

1. Have an identity provider supporting authorization code
2. Host swagger on a different url
3. Click authorize to start the login workflow
4. Token call fails due to cors with Errors: Auth error TypeError: failed to fetch
   Access to fetch at 'https://[...]/token' from origin 'https://localhost:44343' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Expected behavior

Expected the origin header to be correctly set and chrome to authorize the call

Screenshots

Token request without the Origin header. https://i.imgur.com/SCBH13M.png

Additional context or thoughts

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
For a CORS request to be valid, the header Origin must be present on the request and the server response with the header Access-Control-Allow-Origin: https://theorigin.com

[BeChaRem]

This might not be a problem with swagger-ui. When cloning the repo in local and running it I can complete the login and get call token without any cors issue. I will continue to investigate this. Sorry about opening this too soon.

[aldredb]

@BeChaRem i experienced this issue as well..did you find the solution?

[BeChaRem]

No. Same reason as explained by laurynasr in your issue #6081 .