oauth2orize | OAuth 2.0 authorization server toolkit for Node.js | OAuth library

As mentioned in comment by hardlib,it was actually the issue of DNS lookup and as per link,I was able to solve the same issue.Thus,reiterating those steps to avoid further confusion:

1)Find the DNS pertaining to your system:

This diagram is from a udemy tutorial I took when I was learning React. (https://www.udemy.com/node-with-react-fullstack-web-development/).

I am not sure if this diagram refers to the flow you were talking about so let me know if this is the case.

The issue that error message indicates isn’t caused by the app code running at https://myurl/. Instead it’s just that https://zapier.com/dashboard/auth/… doesn’t seem to support CORS.

Specifically, the response from that https://zapier.com/dashboard/auth/… URL doesn’t include the Access-Control-Allow-Origin response header, so your browser won’t let your frontend JavaScript code access the response.

It seems like that is all intentional on the part of Zapier—they don’t intend for that auth endpoint to be accessed from frontend AJAX/XHR/Fetch code running in a browser. Instead I guess it’s intended that you only access that auth endpoint from your backend code. Or something.

Anyway there is no way from your side that you can fix the fact the response from that Zapier API endpoint doesn’t include Access-Control-Allow-Origin.

And as long as it doesn’t include Access-Control-Allow-Origin, your browser will continue blocking your frontend code from being able to get to the response—and there’s no way to get your browser behave otherwise as long as your frontend code is trying to hit that API endpoint directly.

So the only solution is to not hit that API endpoint directly from your frontend code but to instead either set up a proxy and change your frontend code to make the request through that, or else just handle it in some other way in your existing backend code, as mentioned above.

The answer at "No 'Access-Control-Allow-Origin' header is present on the requested resource" gives some details on how you can set up a special CORS proxy, if you want to go that route.

Your question is big, I will try to answer all the phrases marked with ? in a generic way (without taking into account the specific frameworks you are using)

there's an id_token in localStorage on load.

The user closed the browser and opened it again. What are the best practices to do so?

You can choose between being optimistic and continue using the token, or pessimistic and request a new one.

• Continue using the token if the expiration time is long enough. I assume that the token is verified in each request, so if the token is invalid you will receive a 401 and you can request a new one

• Request a new token if the expiration is short or you want to require a new user authentication when the browser opens your application. If you want to check if the JWT is still valid, redirections with an auth server is not user-friendly for a SPA. I suggest to perform an AJAX call to validate and request a new token.

token get's expired after some time

This is the first case I explained above. You can prevent it issuing a new token on each request, or after fixed periods of time i.e. 1 hour

what are the /tokeninfo or /userinfo for?

I do not know these services, but their meaning can be deduced. JWT is signed, so you can trust the data contained (While the signature remains valid)

JWT signature verification, Beside the OP, should my-spa verify the JWT signature (with a public key perhaps)?

You must verify the signature for each request. If you use a symmetric key (i.e HMAC) JWT is signed and verified with the same key. With asymmetric keys (RSA), JWT is signed with private key and verified with the public key

re-using this token to access a REST API of a third service

Add the id_token as a Bearer token to each ajax request,

Correct, usually using an Authorization header

my-service.com should validate the JWT signature (with a public key?) and decide whether to allow or deny access to the protected resource

Of course, any service using the JWT must validate the signature. A external services does not own the private key, so in this case is required to use a assymetric key. You need to publish the public key so the external service could verify the token