Nest API Authorization giving 404

Question

I can't seem to get my Access Token through the Nest API. I've tried POSTing to the Access Token URL in 3 different ways, but they all give the same result.

I'm using the following code:

<body>
  <button type = 'button' id = 'connect' class = 'btn btn-default'>Connect To Nest</button>
  <div id = 'pinArea'>
      <label for = 'pin'>Enter PIN Here: </label><input type = 'text' name = 'pin' id = 'pin'><br />
      <button type = 'button' class = 'btn btn-default' id = 'pinSubmit'>Submit</button>
  </div>


  <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js"></script>
  <script src="js/bootstrap.min.js"></script>
  <script type = 'text/javascript'>
      $(document).ready(function() {

          function makeid()
            {
                var text = "";
                var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";

                for( var i=0; i < 5; i++ )
                    text += possible.charAt(Math.floor(Math.random() * possible.length));

                return text;
            }

          $("#connect").click(function() {
              var state = makeid();
              window.open('https://home.nest.com/login/oauth2?client_id=MYCLIENTID&state='+state+'');
              $("#connect").hide();
              $("#pinArea").show();
          });

          $("#pinSubmit").click(function() {
              var pin = $("#pin").val();
              $.ajax({
                  url: "https://api.home.nest.com/oauth2/access_token?code="+pin+"&client_id=MYCLIENTID&client_secret=MYCIENTSECRET&grant_type=authorization_code",
                  //data: {code: pin, client_id: "MYCLIENTID", client_secret: "MMYCLIENTSECRET", grant_type: "authorization_code"},
                  type: "POST",
                  success: function(res) {
                      console.log(res);
                  },
                  error: function(e) {
                      console.log(e);
                  }
              });
          });
      });
  </script>

The problem is that the URL is giving the following error in my console, when it should be sending back my Access Token:

XMLHttpRequest cannot load https://api.home.nest.com/oauth2/access_token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://fatslug.ca' is therefore not allowed access. 

Any ideas on what could be causing this? Am I just doing it completely wrong?!

Answer 1

The issue is that Nest does not support CORs for their token exchange step. I presume this is intentional, but I'm really not sure.

Instead, Nest would seem to prefer that you build a server and proxy the token exchange through that server. Pretty simple to do.

However, if you really want to do the token exchange in the browser (and do NOT do this for anything in production or taking privacy/security seriously), then you can use a service like cors-anywhere.com:

"https://cors-anywhere.herokuapp.com/api.home.nest.com/oauth2/access_token?" +
"code="+auth.authorizationCode+"&" +
"client_id="+clientId+"&" +
"client_secret="+clientSecret+"&" +
"grant_type=authorization_code"

This will send the request to cors-anywhere, which will provide CORs support to the request and proxy to Nest.

Answer 2

我认为这与CORS无关，就像Nest需要POST一样。