AWS ALB Cross-Origin Request Blocked CORS header ‘Access-Control-Allow-Origin’ missing

Questions OAuth/OIDC
1

Trying to connect AWS ALB to OKTA

We get


Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://dev-123456.okta.com/oauth2/default/v1/authorize?client_id=XYZ&redirect_uri=https%3A%2F%2XYZ%2Foauth2%2Fidpresponse&response_type=code&scope=openid%20profile%20email%20offline_access&state=XYZ. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200

We defined OKTA as our OIDC-compliant IdP as shown in this article:

Our JS code is making a request to the ALB. This trigger the JS to make another request to /authorize

We’ve set https://XYZ as a trusted origin when creating the Application

We’ve set https://XYZ as a trusted origin in the globally trusted origins

If we can discover the origin we can add it to the trusted origins.

Is there a way to find out the origin that is being sent to OKTA?

Thank you

2

Hello,

If I understand correctly your code is making a JS (AJAX/xhr) request that goes through ALB, ALB does a 302 to /authorize into Okta?

If this is correct then this redirect to /authorize will be AJAX/xhr and is not supported since Okta will not set CORS headers for /authorize calls.
See below link,

Note: When making requests to the /authorize endpoint, the browser (user agent) should be redirected to the endpoint. You can't use AJAX with this endpoint.