We are just testing out okta on a small application, (we also use identityserver4 .net so its a test for transition) everything worked well however when the silent renew is triggered its giving us CORS issues.
We tried both local and on server (with domain), we added Domains in the API > Trusted Origins and ticked both CORS and Redirect (one was actually added by default after the initial setup)
With our own identityserver we didn’t have any issue, we just needed to add silent-renew.html to the login redirect URIs (which should be also added for this)
This is the error we are getting
Access to fetch at 'https://dev-xxx.okta.com/oauth2/v1/token' from origin 'https://xxx.azurewebsites.net' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Not much just the default CORS error tho. The standard code flow with silent renew should work right?
You’re getting this CORS error both locally and deployed?
Correct
What happens if you test out your app in a private browsing session/incognito window?
Just tested it and I have the same issue
I did take a HAR file if you which to inspect if I can send it somewhere.
I have a feeling this is not an actual CORS issue and is more the API call being issued is not being handled correctly (due to mismatch params or so and API is rejecting it), and probably the actual error is hidden by the CORS error.
You may be right; sometimes CORS errors are thrown if the request URL is invalid. I would definitely recommend double-checking the URL you are using and making sure you can otherwise make the same request server-side.