We are just testing out okta on a small application, (we also use identityserver4 .net so its a test for transition) everything worked well however when the silent renew is triggered its giving us CORS issues.
We tried both local and on server (with domain), we added Domains in the API > Trusted Origins and ticked both CORS and Redirect (one was actually added by default after the initial setup)
Just some details
- auth code flow with PKCE (iframe)
- oidc client library https://github.com/damienbod/angular-auth-oidc-client
With our own identityserver we didn’t have any issue, we just needed to add
silent-renew.html to the login redirect URIs (which should be also added for this)
This is the error we are getting
Access to fetch at 'https://dev-xxx.okta.com/oauth2/v1/token' from origin 'https://xxx.azurewebsites.net' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Not much just the default CORS error tho. The standard code flow with silent renew should work right?
Any help would be appreciated. Thanks!