Authorization with OKTA fails due to CORS (Access-Control-Allow-Origin)

In our setup we have a frontend and backend on different servers with OKTA being our identity manager. Most of the communication is being done with the graphql and it works like a charm. However recently we had a use case where the good ol’ REST was a better choice. To make a long story short, a request coming from the frontend side has been blocked due to CORS, now let me take you to the details.

  1. I have a CORS policy set on the backend, allowing calls from the defined origins (including localhost). I am using wildcards for headers and methods. Same addresses have been added to OKTA’s Trusted Origins. This setup works flawlessly with graphql requests, no issue so far.
  2. This week I have added a couple of REST endpoints and our problems began. All requests have been failing due to CORS, and the error message was pointing at <my-backend-domain>/oauth2/authorization/okta (Access-Control-Allow-Origin header is missing). I’ve managed to overcome this issue by adding the backend URI to OKTA’s Trusted Origins, what takes us to the point number 3.
  3. Right here I hit the wall. I’m receiving the same error message as at #2 (Access-Control-Allow-Origin header is missing), however I can see my OKTA’s authorization server URI in the error message:

What am I missing?

@lkwid Hi, can you please confirm the below questions?

  1. Do you have the access to To test this, you can open the URL in the browser and see if you have the access.
  2. Is it possible to know which specific API you use when you first time having the error?
  3. Could you please attach the screenshots?
  • error msg
  • trusted origin settings
  • Application general tab – redirect URL

Hi @Lijia.

  1. Yes, I have an access to ‘…/oauth2/default/.well-known/openid-configuration’
  2. Sorry Lijia, I’m not sure what is on your mind here. Hopefully the screenshot below brings the answer
  3. Screenshot:

    Trusted origins:

    Login redirect:
    Sign on tab:

    Sorry for the mess with all these URIs and Origins. We were trying many different options lately…

@lkwid Hi, I was wondering if you have the access to metadata URL and if configure localhost URL well. It looks like you did both correctly. It could be easier to discuss the issue in a remote meeting session.
Can you please open a support ticket through an email to