SOTI Pulse Logo

MobiControl API Using Fetch-Function from a Browser

JD
John Doe Platinum Contributor
Eisen Karl GmbH

I am currently trying to programme a little toolbox for our technicians (i don´t want to give them access to devices and or webconsole directly). Hence its just a small tool i didnt want to host it as a webservice / server somewhere either.

The issue with using fetch in any modern browser no is that unfortunately the mobicontrol api answers POST-Request´s withouth CORS Information.

<

Access to fetch at '' from origin '' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

>

With mode: 'no-cors' it works but the browser only returns opaque data

3 years ago
SOTI MobiControl
ANSWERS
H
HOMOD@SOTI
3 years ago

Hello John Doe,

Thank you for your post and sorry to keep you waiting. I have taken this question to our product managers and hope to get some answers for you. Will keep you posted.

H
HOMOD@SOTI
3 years ago

Hello John Doe,

Very sorry for taking long time to give you a response.

After discussing with our product managers regarding your inquiry, they have advised calling MC API from a frontend introduces a high security risk as well as is prohibited with OAuth 2.0 RFC. 
The CORS header is a security control preventing this. To implement integration in a safe way, the web application needs to implement UI API with a proper authentication and permission check, to call MC API server to server. 
If you are not looking to host a solution yourself it may be benificial to look into our SOTI Snap product and review the following link to see what is possible with MobiControl and REST API - https://discussions.soti.net/articles/fetching-data-from-mobicontrol-with-a-snap-app" 

JD
John Doe Platinum Contributor
3 years ago

Hello HOMOD,

calling an API from a browser based app is not prohibited with Oauth 2.0. There is even a seperat section on how to implement this safely! Although this does not work given the fact what methods for authentications are supplied by mobicontrol api.

No, the cors header is not a security control preventing api-calls from web-apps, its designed for preventing cross-origin api calls. If we want to make api-calls in the same domain as the server than this is possible.

And with what i said in my initial post is that, there is no cors-header sent from mobicontrol:
<

Access to fetch at '' from origin '' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

>

T
THMOD@SOTI
3 years ago

Hi John,

 

Since you have a use case on your side and it seems our product manager's initial response does not fulfill your expectation.

 

If you wish, would you please submit us a feature request on this? Please do let our team knows all the details you require to see what we can work on next steps.

 

Many thanks.

 

Kind regards,

Technical Support | SOTI Inc. | 1.905.624.9828 | support@soti.net | www.soti.net |

Similar Discussions