Hello everyone,
I’m currently developing an Angular application (version 16), and I’ve already created an application on the Battle.net developer portal, obtaining my API keys.
I understand that my frontend should not directly make authentication requests to the Battle.net API for security reasons. Therefore, I’m routing these requests through my backend, which acts as a secure intermediary.
Here’s what I’ve done so far:
- I’ve obtained the necessary API keys for my application from the Battle.net portal.
- I’ve implemented a cookie-based authentication system.
- I’ve implemented OAuth2 authentication delegation on the backend to the Battle.net API using Battle.net API keys.
When I access an endpoint directly on my API that requires a Battle.net token, if I don’t have one yet, I’m correctly redirected to the Battle.net login screen and then returned to my API with a valid token, which I store in the database for 24 hours. Then, I generate my authentication cookie… and so on. I’m successfully authenticated, and I can use the token to fetch information from the Battle.net API.
The problem arises when I want to query these same endpoints from my Angular application. When I access endpoints that don’t require a Battle.net token, everything works fine—no issues, especially with CORS.
However, as soon as I request a resource that requires access to Battle.net and, therefore, authentication, I receive the following error as a response:
csharpCopy code
Access to XMLHttpRequest at 'https://oauth.battle.net/authorize?client_id=[...]&scope=wow.profile&response_type=code&redirect_uri=https://localhost:5005/oauth/bn-cb&state=[...]' (redirected from 'https://localhost:5005/bn/info') from origin 'https://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
- localhost:5005 is my API.
- localhost:4200 is my client.
So, my question is:
What is the authentication flow for such an architecture (which doesn’t seem extraordinary) - client <> server <> Battle.net API?
I can share any piece of code as needed, nothing confidential here.
Thanks for your help