CORS error in production

I’ve created a React/Dot Net Core SPA. It works fine in a development environment. Have now created an SPA application in our production environment & am getting a CORS error:

“Access to XMLHttpRequest at ‘https://ZZZZZZZZ/oauth2/default/.well-known/openid-configuration’ from origin ‘https://localhost:44381’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.”

I have added https://localhost:44381 as a CORS trusted origin. (The error before I did this was different i.e. “Response to preflight request doesn’t pass access control check”).

How do I resolve this CORS error?

One thing I’ve noticed is that in the freebie environment https://dev-123456-admin.okta.com/admin (that number is fake btw), I see an option to switch to Developer Console & can get to Authorization servers. In our prod environment, I am super admin, but don’t see a way to get to the Developer Console.

If I go to https://{ourcompany}-admin.okta.com/oauth2/default/.well-known/openid-configuration it comes back with:

{“errorCode”:“E0000015”,“errorSummary”:“You do not have permission to access the feature you are requesting”,“errorLink”:“E0000015”,“errorId”:“oaea3jqYRouSnCOziy6TrsoCQ”,“errorCauses”:}

Hi @andrew.rands,

This is because the production org doesn’t have API Access Management feature.
You will have to contact Okta sales to get this feature enabled/purchased for your production org.

I got it to work eventually. Code based on https://developer.okta.com/code/react/okta_react_sign-in_widget/

In the render section, I removed ‘/oauth2/default’ from the end of the issuer property. The key was something I read about Okta serving as the authorization server for itself, we refer to this as the “Okta Org Authorization Server” (https://developer.okta.com/docs/reference/api/oidc/#_2-okta-as-the-identity-platform-for-your-app-or-api) as opposed to using the Authorization server that is tied in with API Access management.

2 Likes

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.