CORS error encountered when Okta Signin Widget download security images from SPA running on http://localhost:3000

Hi, I’m running a react SPA on http://localhost:3000. When I turn on the feature of security image in the widget config, it attempts to download from https://{{my_okta_domain}}/login/getimage?username={{my_username}}. I’m getting the CORS error despite of the fact that I’ve added http://localhost:3000 to the auth server’s trusted origin. But I don’t think that matters, because that is CORS policy to invoke API, in the case of security image download, is there a way to add trusted origin? So far this feature only work with same origin. Thanks!

Hi @hliang

The security image can be used only through the Okta subdomain and can not be loaded externally via CORS.

Thanks for the clarification!