Assistant2 CORS policy error. Access to XMLHttpRequest: No 'Access-Control-Allow-Origin' header.

[npacucci]

Hi,
I'm trying to use the Assistant2 APIs inside my Web Application (Angular CLI project) with the suggested Webpack Configuration .

I followed the official docs to use the APIs on pure Client scenario, as described here:

• https://cloud.ibm.com/docs/services/assistant?topic=assistant-api-client&programming_language=javascript&locale=en
• https://cloud.ibm.com/apidocs/assistant-v2?locale=it&code=node#authentication

Overview

I want to authenticate by iam_apikey, so my configuration is something like this:

import * as Assistant2 from 'ibm-watson/assistant/v2';

const assistant = new Assistant2({
  version: '2019-02-28',
  iam_apikey: '****************',
  url: 'https://gateway-lon.watsonplatform.net/assistant/api'
});

assistant.createSession({
    assistant_id: '***************'
})
.then(res => {
    console.log(JSON.stringify(res, null, 2));
 })
 .catch(err => {
   console.log(err);
 });

Debugging at runtime, after the Assistant2 initialization and before the createSession method execution, the assistant object looks like this:

assistant :  {
     tokenManager: {
          iamApikey: '****************',
          iamUrl: 'https://iam.cloud.ibm.com/identity/token',
          tokenInfo: { }
      },
     _options: {
          iam_apikey: '****************',
          qs: {
                version: '2019-02-28'
           },
          rejectUnauthorized: true,
          url: 'https://gateway-lon.watsonplatform.net/assistant/api',
          version: '2019-02-28'
     }
}

But executing the createSession method, I get the following errors:

Refused to set unsafe header "Accept-Encoding" (xhr.js:126).

Access to XMLHttpRequest at 'https://iam.cloud.ibm.com/identity/token' from origin 'http://localhost:5001' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

It seems that the IAM server that should generate the access token is not working.
As quoted here by @germanattanasio .

Expected behavior
The Assistant2 support CORS so I expected to simply call the APIs authenticating by the iam_apikey.

Actual behavior
CORS policy error.

SDK Version
ibm-watson: 4.1.1

[notarnet]

Any news? @germanattanasio @dpopp07

[npacucci]

Hi @germanattanasio, I tried getting the access token server side by an api in my app (as you described here ) and it works.

But after I set the access token inside the assistant2 constructor in my client code (typescript):

this.assistant = new Assistant({
  version: this.version,
  iam_access_token: <GENERATED_TOKEN>,
  url: this.url
});

and executing the createSession method I get another CORS error calling the gateway-lon.watsonplatform url:

Access to XMLHttpRequest at 'https://gateway-lon.watsonplatform.net/assistant/api/v2/assistants/23********65/sessions?version=2019-02-28' from origin 'http://localhost:5001' has been blocked by CORS policy: Request header field x-ibmcloud-sdk-analytics is not allowed by Access-Control-Allow-Headers in preflight response.

So maybe I misunderstood. What do you mean when you say that the assistant supports CORS?
Do you expect that it is possible to make API calls via browser or calls must be all made server side to avoid the CORS policy errors?

[germanattanasio]

Ohhh That's a problem on our side @npacucci. Let me work on it and get back to you.

[germanattanasio]

We have a PR to fix this in our servers

[npacucci]

@germanattanasio, I tried using the PR #776 but I couldn't do it. That PR is too old because it was branched from the older master 'watson-developer-cloud', so most code has been refactored now inside the new 'ibm-cloud-sdk-core' sdk and than the Assistant2 didn't even exist.

Is there any news about this fix to your servers?

[germanattanasio]

Changes are being tested in dev I expect them to be in staging next week and hopefully prod a day or two after staging

[dpopp07]

@germanattanasio @npacucci What is the status of this issue?

[germanattanasio]

Still in dev. Something with ingress came up so they are working on that first

[dpopp07]

@npacucci Thinking about this more, there may be a workaround you can use until things are fixed on our side. If the problem is coming from the request headers, you should be able to configure axios, our internal request library, to access the request object before it is sent and remove the headers.

We expose most of the axios config parameters in the service constructor so that the user has some control over their requests. I think the transformRequest parameter would suit your needs. Their documentation for that parameter even says

You may modify the headers object.

Let me know if you are able to use that workaround and if it works for you.

[germanattanasio]

The changes to support CORS are now in production 🎉

[drwhirst]

Sill doesn't work for me

[drwhirst]

Access to XMLHttpRequest at 'https://iam.cloud.ibm.com/identity/token' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

[drwhirst]

@germanattanasio