Orchestrator Authentication not working with Javascript XHR request

I try to build a website where I can internally control our UiPath Orchestrator. We are using an on-premise Orchestrator.

The connection was firstly tested in Postman/curl:

curl --location --request POST '{{url}}/api/Account/Authenticate' \
--header 'Content-Type: application/json' \
--data-raw '{
	"tenancyName": "{{tenantName}}",
	"usernameOrEmailAddress": "{{usernameOrEmailAddress}}",
	"password": "{{password}}"
}'

This gives me back the authtoken without any issue. Perfect.

Then I tried to implement that curl as XHR in Javascript:

var data = JSON.stringify({"tenancyName":"...","usernameOrEmailAddress":"...","password":"..."});
      var xhr = new XMLHttpRequest();
      xhr.withCredentials = true;
      xhr.addEventListener("readystatechange", function() {
        if(this.readyState === 4) {
          console.log(this.responseText);
        }
      });
      xhr.open("POST", "https://.../api/account/authenticate");
      xhr.setRequestHeader("Content-Type", "application/json");
      xhr.send(data);

But Firefox and Chrome are trying to preflight. So I get a 404 statuscode back:

Firefox:
image

Chrome:
image

I’m confused now how to fix it. Actually it is obviously a CORS issue. So I tried to set:

<add name="Access-Control-Allow-Origin" value="*" />

on our IIS7 server. Without any change.

Also I tried to set this setting to allow everything on the Node.js server and on the XHR request. But 404 stays.

Then I tried using Chrome and Firefox Plugins to disable CORS. But 404 stays.

And again in Postman it works perfectly since the first try. So it just a CORS issue. But I want to let CORS enable, maybe just configure it in a way that specific server are allowed. How to do that?

One solution is to use the non-preflight request:

  var data = "tenancyName=...&usernameOrEmailAddress=...&password=...";
  var xhr = new XMLHttpRequest();

  xhr.addEventListener("readystatechange", function() {
    if(this.readyState === 4) {
      console.log(this.responseText);
    }
  });

  xhr.open("POST", "https://url/api/account/authenticate");
  xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
  xhr.send(data);

As "Content-Type", "application/x-www-form-urlencoded" is one of the non-preflight we simply dodge the CORS mechanics with it. And for sure the data variable was changed so the JSON.stringify is gone now.

As the UiPath Orchestrator server is in a private Azure environment, this is not a huge security issue at all.

Anyway solutions that disable the CORS completely on the IIS7 server are still welcome.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.