Hi @jmayer – as stated earlier:
Zammad sends the
Access-Control-Allow-Origin – but not for Token or BasicAuth .
There are two OAuth functionalities available in the Zammad context:
1st) You can authorise via a third party identity provider (such as GitHub, Twitter etc.) which will create a valid HTTP session (cookie based) for you.
2nd) Zammad can act as identity provider (such as GitHub, Twitter, etc.) for third party systems via OAuth to verify that the requesting identity exists.
I don’t think that any of the both listed above will server. your need.
The issue that I see here is that you expose the session of the authenticated user to the browser session. This will enable an attacker to access other endpoints in the name of the used session (changing password, read other tickets, etc.). That’s why this kind of requests is prohibited by measurements we installed namely the Content Security Policy. The CSP will be another roadblock in your way.
Accessing third party system APIs with an authenticated session directly is potentially dangerous and not recommended.
My proposal would be to:
a) use the Form endpoint which does not need any authentication
b) create an intermediate API endpoint that encapsulates/handles the authentication and request to the Zammad API (like a wrapper) and exposes a single, dedicated endpoint for POSTing the payloads.
Hope this helps in any way.