Security

I am new to the ClearPass API, and having issues with the CORS requests.

Using XMLHTTPRequest I have been trying to send a POST request to the ClearPass server but the preflighted OPTIONS request returns a 403 Forbidden.

var xmlhttp = new XMLHttpRequest();

    var url = "https://websitename/api/oauth";

    xmlhttp.onreadystatechange = function () {

        if (this.readyState == 4 && this.status == 200) {

            console.log(this.responseText);

        }

    };

    xmlhttp.open("POST", url, true);

    xmlhttp.setRequestHeader("Content-Type", "application/json");

    xmlhttp.send(JSON.stringify({

            "grant_type": 'password'

            , "username": username

            , "password": password

            , "client_id": 'NameOfAPIClient'

        }

    ));

In API Framework > Allowed Origins

I have tried to specify both * and a specific domain with no luck.  I have created a API client, with a grant_type = password, and set the client as a public (trusted) client.

All the documentation and examples that I have seen use curl to test the clien which bypasses this OPTIONS request issue. Is it possible to make these API calls using just javascript? 

I am not sure any of us have tried this under JavaScript.  Under what scenario is having the password in the clear like that acceptable?  

You never mentioned that testing via curl or some other CLI tool worked.  Your username and password are OK and you created the appropriate OAuth2 API User Access service within Policy Manager?