Keep getting error 401 when trying to call oauth/token

Hi, I’m using front-end to call Jmix /oauth/token API from a different domain. I keep getting error 401 from Jmix even though I already set Jmix CORS domain property.

Here’s my architecture:

  • I use Jmix behind my NGINX proxy
  • And then I use Cloudflare to proxy the Nginx (but this should not be a problem since Cloudflare won’t interfere with CORS headers)
  • I use XMLHttpRequest object to call the oauth token.

Here’s some snippets of NGINX conf:

    add_header 'Access-Control-Max-Age' '3600'  always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' '*' always;

XHR Code:

    var xhr = new XMLHttpRequest();
    xhr.open("POST", "https://example.com/oauth/token", true, "client", "secret");
    xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
    xhr.withCredentials = true;
    xhr.send("grant_type=password&username=admin&password=admin");

At one point, it could work, but then after that it doesn’t work anymore. Any idea what changes?