Authorize redirect missing Access-Control-Allow-Origin header

I’m working on an app for a creator which allows Patreon members to sign into the site in order to access Patreon member exclusive content. I’m encountering an issue when attempting to sign in a user. The redirect from the authorize endpoint appears to be missing the header Access-Control-Allow-Origin so the browser is rejecting the redirect. The following is the full contents of the request and response. The Patreon API is responding with a redirect so the request must be correct.

Access to fetch at ‘https://www.patreon.com/oauth2/authorize?client_id=m9z...zpW&scope=identity%20identity.memberships&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A7000%2Fapi%2Fpatreon%2Fcallback&state=CfD...9JU’ (redirected from ‘https://localhost:7000/api/signin’) from origin ‘https://localhost:7000’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

Request

Request URL: https://www.patreon.com/oauth2/authorize?client_id=m9z...NzpW&scope=identity%20identity.memberships&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A7000%2Fapi%2Fpatreon%2Fcallback&state=CfD...9JU
Request Method: GET
Status Code: 302 Found
Referrer Policy: strict-origin-when-cross-origin

Request Headers

:authority: www.patreon.com
:method: GET
:path: /oauth2/authorize?client_id=m9z…NzpW&scope=identity%20identity.memberships&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A7000%2Fapi%2Fpatreon%2Fcallback&state=CfD…9JU
:scheme: https
accept: /
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
cache-control: no-cache
origin: https://localhost:7000
pragma: no-cache
priority: u=1, i
referer: https://localhost:7000/
sec-ch-ua: “Chromium”;v=“130”, “Microsoft Edge”;v=“130”, “Not?A_Brand”;v=“99”
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: “Windows”
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0

Response Headers

cache-control: private
cf-cache-status: DYNAMIC
cf-ray: 8d67d3f79d0ab371-PRG
content-language: en-US
content-type: text/html; charset=utf-8
date: Tue, 22 Oct 2024 07:38:28 GMT
location: https://www.patreon.com/login?ru=%2Foauth2%2Fauthorize%3Fclient_id%3Dm9z...zpW%26scope%3Didentity%2Bidentity.memberships%26response_type%3Dcode%26redirect_uri%3Dhttps%253A%252F%252Flocalhost%253A7000%252Fapi%252Fpatreon%252Fcallback%26state%3DCfD...9JU
nel: {“success_fraction”:0,“report_to”:“cf-nel”,“max_age”:604800}
referrer-policy: origin,strict-origin-when-cross-origin
report-to: {“endpoints”:[{“url”:“https://a.nel.cloudflare.com/report/v4?s=PxEjyacctMkgHlM6ClOO%2BBhD22xlGdevKfJ9FCTEiRK8zNadhvtllt9A7YZxTSKOkyz85zF4xANUN26fxkjYvRqEwpjShYI4Rd2h97iRMy%2BPuHi9W2k%2FQfYj8ywp6GwXAduyNvVek3hKjU48Ew%3D%3D”}],“group”:“cf-nel”,“max_age”:604800}
server: cloudflare
set-cookie: a_csrf=L65JZcNQDVhLOkQqibBoBYA_lx2w5jbe4kVBa6JnxTk; Domain=patreon.com; Expires=Tue, 22-Oct-2024 08:38:28 GMT; Max-Age=3600; Secure; HttpOnly; Path=/
set-cookie: patreon_locale_code=en-US; Domain=patreon.com; Expires=Mon, 17-Oct-2044 07:38:28 GMT; Max-Age=630720000; Secure; Path=/
set-cookie: patreon_location_country_code=CZ; Domain=patreon.com; Expires=Mon, 17-Oct-2044 07:38:28 GMT; Max-Age=630720000; Secure; Path=/
set-cookie: patreon_device_id=dab1499c-0edd-4fff-a332-2aef15864982; Domain=patreon.com; Expires=Thu, 01-Aug-2040 00:00:00 GMT; Max-Age=630720000; Path=/
set-cookie: patreon_location_country_code=CZ; Domain=patreon.com; Expires=Thu, 01-Aug-2040 00:00:00 GMT; Max-Age=630720000; Path=/
set-cookie: patreon_locale_code=en-US; Domain=patreon.com; Expires=Thu, 01-Aug-2040 00:00:00 GMT; Max-Age=630720000; Path=/
set-cookie: __cf_bm=p4knM9rquRTYhgB.wft_JJ.vchPsGqmmImmY_O_CUnU-1729582708-1.0.1.1-hNyWx4Q6Fm8OSWdfTB.ysCg1KZapttqx6IdBYj1I1rzUNHE5UZfGeh58bDZjYu3n4nz1FBlsWyTgT6jqUABmuINKCNcTxGu3YUX80.5X7ys; path=/; expires=Tue, 22-Oct-24 08:08:28 GMT; domain=.patreon.com; HttpOnly; Secure; SameSite=None
strict-transport-security: max-age=2592000
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: sameorigin
x-patreon-sha: 804a4d38a2cc55e8c40635709e26aac3b554d7bb
x-patreon-uuid: 8aee524f-a12c-5aae-935e-7f710730cbf6
x-xss-protection: 1; mode=block

I’ve worked around the issue by having the server return the authorize URL to the client and having the client simply navigate to the URL. The authorize endpoint now returns an HTML page as expected.

Something like this was not reported before. Normally what you must do is to send the user to the authorization url with a browser, then the user authorizes the app and returns to a page at your app with a browser. But good to hear that you sorted it out.