The Authorizing OAuth Apps doesn't mention the access_token endpoint doesn't support CORS

[baywet]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps#2-users-are-redirected-back-to-your-site-by-github

What part(s) of the article would you like to see updated?

There should be a mention that CORS pre-flights are not supported on this endpoint (OPTIONS requests). This, and the fact that implicit flow is not supported, effectively means that authenticating from a SPA is impossible without a service relay.
That's unless PKCE is supported, but there are no mentions of it. https://espressocoder.com/2019/10/28/secure-your-spa-with-authorization-code-flow-with-pkce/

Additional information

No response

[welcome]

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[cmwilson21]

@baywet Thanks so much for opening an issue! I'll triage this for the team to take a look 👀

[baywet]

Thanks! For information after investigating the issue further I also established that PKCE isn't supported today. This should probably be detailed in the docs as well.
I've added a "feature request" here which contains additional details.

[github-actions]

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀

[github-actions]

This is a gentle bump for the docs team that this issue is waiting for technical review.

[github-actions]

This is a gentle bump for the docs team that this issue is waiting for technical review.