Kenneth
Kenneth
PostsComments
KKinde
Created by Kenneth on 4/4/2025 in #💻┃support
CORS Errors when using wildcards for allowed callback URLs
When using wildcards in allowed callback URLs in combination with a custom domain, I'm getting CORS errors when trying to retrieve a token from the oauth/token endpoint. Is this expected behavior? Actually detecting the validity of the callback/redirect URL works fine. Just that afterwards when I receive the login code on the callback and try to exchange it for an access token at the /oauth/token endpoint that we receive a CORS error. When I explicitly specify which URLs are allowed this works just fine.
20 replies
KKinde
Created by Kenneth on 7/4/2024 in #💻┃support
Changing API settings takes an incredibly long time
When updating authorized applications for an API it takes a really long time untill these changes are reflected when requesting access tokens, both for M2M tokens and user tokens. When adding a new API and adding a new authorized application, I can't seem to request tokens for this audience for several hours after making the changes in the Kinde Admin portal. The Kinde API also shows the API is active for said application (Identifiers redacted) 
GET https://<environmentUri>.eu.kinde.com/api/v1/apis/***
{
    "api": {
        "id": "****",
        "name": "MyApiName",
        "audience": "MyApiAudience",
        "applications": [
            {
                "id": "****",
                "name": "MyWebApp",
                "type": "Front-end and mobile",
                "is_active": true
            }
        ],
        "is_management_api": false
    },
    "code": "OK",
    "message": "Success"
}
GET https://<environmentUri>.eu.kinde.com/api/v1/apis/***
{
    "api": {
        "id": "****",
        "name": "MyApiName",
        "audience": "MyApiAudience",
        "applications": [
            {
                "id": "****",
                "name": "MyWebApp",
                "type": "Front-end and mobile",
                "is_active": true
            }
        ],
        "is_management_api": false
    },
    "code": "OK",
    "message": "Success"
}
Although the API says it is active, token requests keep giving the same error for quite a few hours, until it resolves itself automagically. 
{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Requested audience '*****' has not been whitelisted by the OAuth 2.0 Client."}
{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Requested audience '*****' has not been whitelisted by the OAuth 2.0 Client."}
Also when revoking access to an API/Audience or deleting an API completely, the application can still request M2M tokens for several hours after it has been revoked. Do you have any explanation, since this is quite the hurdle in developing new applications in our suite and for authorizing/revoking API access on production systems.
29 replies