As far as I can tell, I have my local dev, UAT, and PROD sites all listed in the origins correctly, and all three listed in settings correctly, I’m not sure why I am still receiving the CORS error…
You’ve got everything set up on your side correctly. The bug is on our side - this endpoint is not returning the Vary header to let the browser know that the endpoint may respond to multiple origins. We’re planning to release a fix soon.
The issue has been resolved through a feature that adds Vary:Origin on /keys endpoint.
Please send us an email to developers@okta.com to further review and have this feature enabled if the scenario applies or assist in troubleshooting if the issue is on a different endpoint.
Hi Dragos,
I found something strange related to this issue. our application redirect is working fine when we specify ip address. for ex: https://10.53.23.67/logout&state=https://10.53.23.67
as soon as we specify domain name for ex: https://abc.server.com/logout&state=https://abc.server.com
it goes on infinite loop of redirection.
at first we thought it is due to TLS (https), but today we figured out that it is just an issue with redirection having domain name.
have you seen this behaviour?
From what i’ve seen previously, the infinite loop can be triggered if a configuration is set incorrectly. The best solution to troubleshoot this issue would be by capturing the sequence of http requests and responses when you access the domain name using a tool like Fiddler and open a support ticket with us at developers@okta.com to further check with one of our Developer Support Engineers.
You can find here a small guide on how to use Fiddler and capture the entries.