Access to XMLHttpRequest at ... has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource

We are seeing below CORS error every 1 hour. And when we refresh the browser, the /authorize request proceeds.

We verified that the CORS policy is set correctly in Okta (Security->API->TrustedOrigin) for our client domain.

Error on browser console:

Access to XMLHttpRequest at ‘ portnumber %2F&response_type=code&scope=openid%20profile%20email&code_challenge= &code_challenge_method=S256&state=OpenIdConnect.AuthenticationProperties &x-client-SKU=ID_NET461&x-client-ver=’ (redirected from ‘https://localhost:portnumber/pagename.aspx’) from origin 'https://localhost: portnumber has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

We are using Okta.AspNet 3.2.2 in the 4.7.2 application. Application is owin layer with OktaMvcOptions (loginmode.oktahosted) for redirecting our users to Okta login page for authentication. After successful authentication users redirect back to the application and continue working.

After an hour the user’s screen freezes and user has to click the refresh button on the browser. We are using Chrome Browser Version 120.

We tried cleaning browser cache/cookies and still same issue.

Please suggest any solution or workaround. or let me know if you need more information.


The Okta /authorize endpoint does not support XHR requests, requests must be made with a browser redirect,

Note: When making requests to the /authorize endpoint, the browser (user agent) should be redirected to the endpoint. You can’t use AJAX with this endpoint.

I am guessing that your application is making JS XHR calls with an access_token. After 60 minutes the token expires and the endpoint the app is doing the XHR calls to redirects to the /authorize call.

1 Like

Hello Eric,
Thanks for your quick response. I understand the note you mentioned and yes our application making XHR calls.
I two more questions related to this -

  1. Is there any workaround for this?
  2. Can we increase token time from 60 minutes to 120 minutes in Okta for specific authorization server instead of default authorization server?

Once again thanks for your input.

For any of the Okta custom authorization servers the access_token can have a max lifetime of 24 hours. this can be set in the policies. This include the default authorization server /oauth2/default/v1/authorize which is a custom authorization server.

The Okta Org authorization server /oauth2/v1/authorize access_token lifetime can’t be modified and is set to 60 minutes. I assume you are not using this since these access token signatures require remote validation.

1 Like

Thanks. this information is useful. Appreciate you for clarifying my questions and confirming my understanding.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.