Yet I’m still receiving CORS error:
Access to fetch at ‘https://xxx.okta.com/oauth2/default/v1/interact’ from origin ‘https://www.xxx.com’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.
What could I do to resolve this error? does the www prefix matter when adding trusted origins?
Can you verify that entering the following URL in your browser for your Okta Org pulls up the OIDC discovery document. https://{domain}.okta.com/oauth2/default/.well-known/openid-configuration
It should look similar to the below discovery document for your Okta Org. https://{domain}.okta.com/.well-known/openid-configuration
If your Okta Org does not have the API Access Management License you will not have the default authorization server. Attempting to access the discovery document via a JS cross origin call will give a CORs error.
Can you also confirm that the org you are testing with is on Okta Identity Engine? You can check which engine you are on by going to https://oktaDomain/.well-known/okta-organization : if you see "pipeline": "v1", you are using an Okta Classic Org that is not compatible with Interaction Code flow and if you see "pipeline" : "idx", you are using an Okta Identity Engine org.
This /interact endpoint is only invoked when useInteractionCodeFlow is enabled, so if you are on a classic org, set this to false.