CORS error on redirect after authentication in authorization code flow

My spring backend reacts with an error message

Invalid cors request

my logfiles show the following message

DEBUG 1351556 — [XNIO-1 task-1] o.s.web.cors.DefaultCorsProcessor : Reject: ‘null’ origin is not allowed

my cors policy should allow the okta domain:

cors:
allowed-origins: ‘…,https://okta-custom-domain,https://okta-domain.okta.com’
allowed-methods: ‘’
allowed-headers: '’
exposed-headers: ‘Authorization,Link,X-Total-Count’
allow-credentials: true
max-age: 1800

when trying the same code flow with oidcdebugger.com as redirect_uri the flow succeeds.

Any hint?

We probably need some more context. How is the backend configured? How or what front-end client code is making the requests for authentication and authorization?

If you are loading something from the file system, you will have a null origin.

Hi @franSim! Can you confirm you have configured CORS correctly per Access Denied Error while authorizing · Issue #135 · okta/okta-spring-boot · GitHub?

Hey @sigama ,
thank you for responding.

As far as I can see, CORS is configured correctly. I also allow CORS Requests from other domains, where everything is working correctly.
My Spring configuration allows

allowed-origins: ‘…,https://okta-custom-domain ,https://okta-domain.okta.com’

Maybe I need to add the port?

My Requests looks like this:

https://custom-okta-domain.com/oauth2/default/v1/authorize?client_id=myclientid&redirect_uri=https://my.domain.de/callback&scope=openid%20profile%20email&response_type=token&response_mode=form_post&state=state&nonce=zdt7tpbxdz

If it helps, my project is based on jhipster v7.2.0

Can you double check if you are able to use the “Default” Authorization Server I see in your authorize request? If you log into the Admin Console, can you navigate to Security → API → Authorization Servers, or is that tab missing for you?

You’ll get a CORS error if you try to hit an endpoint that does not exist, such as and oauth endpoint for a non-existent authorization server.

Yes, the default Auth server is present.

If I try the same flow via

OpenID Connect debugger

as redirect URI the flow succeeds.

So redirecting to /authorize endpoint in the browser works, but not when your spring app makes the request? Is it making it as a AJAX request then?

Any news on this topic? We are having the exact same issue…

Due to other pressing tickets, I didn’t proceed on working on it. But it is still in my Backlog. If you solve it I would appreciate an answer

It seems that in our case the problem is that the request sent by https://dev-idnumber.okta.com to our application does not contain an ‘origin’ header stating it is coming from the okta.com domain.
@andrea is it possible to add this header? if not, it will impossible to enable CORS in our application.

Please note that the issue in our case is not the okta server blocking our server’s requests (and therefore adding our server as an authorized origin in the API tab will not help) but rather the opposite : we cannot judge whether an incoming request comes from an authorized domain without the origin header.

we are also working with Spring

there is a workaround which is basically allowing all cross origin requests ( Null origin issue with SAML callback in OAuth flow | FusionAuth Forum ) which obviously has a negative impact on the application security level

Exact same issue here in my single page application. Anyone has any updates on this issue?

Did anyone ever figure this out? I’m getting the same issue (Origin is null when redirected to my app after successful login from an Okta dev account) however this time with SAML login. Adding “*” to allow all origin is not acceptable for us. Is there some configuration I’m missing?

For anyone with the same issue, it appears that this only occurs when using Okta with a localhost app. Once your app is visible on a real domain the Origin header from Okta is set correctly, at least it is for me.