Duo-hosted login API request fails due to preflight OPTIONS method rejected

[davemednick]

Detailed Description

Using the new Web SDK v4 library, when the request is made to the API for the duo login (generated by the createAuthUrl method), a preflight request is made because of the 302 redirect which gets rejected because the OPTIONS method is not allowed. This results in a CORS error in the browser and the client is unable to secure 2FA auth.

Use Case

If the Duo team were able to allow the OPTIONS method for that call or somehow eliminate the need for the preflight check, this version of the client would work for our application.

Workarounds

There is currently no workaround that we can determine because the browser itself fails.

[AaronAtDuo]

@davemednick I'm not clear on what is doing the preflight OPTIONS call in your environment. Are you using some web framework that wraps the 302 being returned? We've seen this type of issue before in SPA-style frameworks, or web applications that do XHR posts of login, not browser form posts.

For instance, with the example app, my browser (chrome on ubuntu) simply follows the redirect without issuing an OPTIONS call beforehand.

[davemednick]

@AaronAtDuo our Slim based application is behind VPN and firewalls... and we are required to use a standard Html redirect to the URL created in Client. Our potential solution is creating a button (for direct access and not a 302 redirect, which we have verified as working) but the REAL solution would be allowing the OPTIONS method on the Duo end.

Landy Naylor has more info on how we're implementing and has a sample .HAR file.