Angular Slient Renew CORS issue

We are just testing out okta on a small application, (we also use identityserver4 .net so its a test for transition) everything worked well however when the silent renew is triggered its giving us CORS issues.

We tried both local and on server (with domain), we added Domains in the API > Trusted Origins and ticked both CORS and Redirect (one was actually added by default after the initial setup)

Just some details
We use:

With our own identityserver we didn’t have any issue, we just needed to add silent-renew.html to the login redirect URIs (which should be also added for this)

This is the error we are getting

	Access to fetch at 'https://dev-xxx.okta.com/oauth2/v1/token' from origin 'https://xxx.azurewebsites.net' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Not much just the default CORS error tho. The standard code flow with silent renew should work right?

Any help would be appreciated. Thanks!

You’re getting this CORS error both locally and deployed? What happens if you test out your app in a private browsing session/incognito window?

You’re getting this CORS error both locally and deployed?

Correct

What happens if you test out your app in a private browsing session/incognito window?

Just tested it and I have the same issue

I did take a HAR file if you which to inspect if I can send it somewhere.
I have a feeling this is not an actual CORS issue and is more the API call being issued is not being handled correctly (due to mismatch params or so and API is rejecting it), and probably the actual error is hidden by the CORS error.

You may be right; sometimes CORS errors are thrown if the request URL is invalid. I would definitely recommend double-checking the URL you are using and making sure you can otherwise make the same request server-side.

The request is as following:

https://dev-6471665.okta.com/oauth2/v1/token

Form Data

grant_type=authorization_code&client_id=XXX&code_verifier=XXX&code=XXX&redirect_uri=http://localhost:6300/silent-renew.html

The thing is, it works on our own identity server and I don’t have too much control over the request as its being requested by the said library

This may be easier to investigate via a support case, that way someone can review the HAR you captured and can double check all your settings in Okta.