Sharing oauth2 token with AJAX request to be sent to resource server
I am a little confused on how the token is shared from the client to an AJAX script to the resource server in the oauth2 flow.
To explain the scenario I am trying to set up, I have
- a client (http://localhost:3000)
- a resource server (http://localhost:3001)
- an authentication server (http://localhost:3002)
The client is a server that is communicating with a user in the browser. The client obtains the token from the authentication server through the use of the authorization flow, it then sets the token as a cookie which is shared with the user. This means that the user has the token, but now the client wants the page delivered to the user to make an AJAX request to the resource server for information.
Since the token is locked between the client and the user, and CORS forbids the sharing of cookies when 'Access-Control-Allow-Origin', '*' is set. How can the AJAX request obtain the token and send it to the resource server to be validated?
Or am I confusing the workflow/trying something impossible? Thanks in advance!
