In our setup we have a frontend and backend on different servers with OKTA being our identity manager. Most of the communication is being done with the graphql and it works like a charm. However recently we had a use case where the good ol’ REST was a better choice. To make a long story short, a request coming from the frontend side has been blocked due to CORS, now let me take you to the details.
- I have a CORS policy set on the backend, allowing calls from the defined origins (including localhost). I am using wildcards for headers and methods. Same addresses have been added to OKTA’s Trusted Origins. This setup works flawlessly with graphql requests, no issue so far.
- This week I have added a couple of REST endpoints and our problems began. All requests have been failing due to CORS, and the error message was pointing at
<my-backend-domain>/oauth2/authorization/okta(Access-Control-Allow-Origin header is missing). I’ve managed to overcome this issue by adding the backend URI to OKTA’s Trusted Origins, what takes us to the point number 3.
- Right here I hit the wall. I’m receiving the same error message as at #2 (Access-Control-Allow-Origin header is missing), however I can see my OKTA’s authorization server URI in the error message:
What am I missing?