Hello,
Is there a suitable flow for Single Page Web apps / Native apps that have no server backend? My conclusion after reading the documentation is no. I am not seeing any references to PKCE Flow which I believe to be the only viable option for those types of apps? I am new to oauth so I wondering/hoping if perhaps I am not understanding the options Blizzard has made available.
Is there a flow that does not require a server backend for javascript? My main goal at this time is a student project to display items or cards from one of the Blizzard franchises in a react front end single page app. A backend server is not an option and I must use javascript.
Thanks in advance, appreciate any advice.
1 Like
You definitely need an intermediate server for accessing the API. Even if you try to use the client_credentials flow (which is not meant to be used on the client side), it wonât work because of CORS policy.
What exactly do you mean when you say âa back end server is not an optionâ ? Is it a requirement for your project ? Because if it is that is a really odd requirement.
Can you use a proxy to the API instead ? If so I have this project ready for use.
1 Like
I very much appreciate the reply!
Regarding âa back end server is not an optionâ. Just that my feeling is that it would not align with the specific focus of the project (react front end) more than anything. We will be making our own backend server with ruby/rails in our next project. Perhaps I will tackle oauth myself then.
That said, I do think an API proxy would be ok. I am definitely going to check out your project tomorrow! Thank you!!
Technically, you can perform a GET on /oauth/token?grant_type=client_credentials with client_id and client_secret querystring params, and the response includes âAccess-Control-Allow-Origin: *â which leads me to believe CORS is enabled.
Itâs bad form, since the client-side JS will need access to your client_secret, but for a student project with an artificial limitation of no back-end code, it might be okay.
Iâll have to double check that, but Iâm pretty sure game_data and profile endpoints do not have the same CORS policy. So even if you get the token you still canât access the rest of the data. Perhaps that changed since I tried something a few months ago.