My spring backend reacts with an error message
Invalid cors request
my logfiles show the following message
DEBUG 1351556 — [XNIO-1 task-1] o.s.web.cors.DefaultCorsProcessor : Reject: ‘null’ origin is not allowed
my cors policy should allow the okta domain:
when trying the same code flow with oidcdebugger.com as redirect_uri the flow succeeds.
We probably need some more context. How is the backend configured? How or what front-end client code is making the requests for authentication and authorization?
If you are loading something from the file system, you will have a
Hey @sigama ,
thank you for responding.
As far as I can see, CORS is configured correctly. I also allow CORS Requests from other domains, where everything is working correctly.
My Spring configuration allows
allowed-origins: ‘…,https://okta-custom-domain ,https://okta-domain.okta.com’
Maybe I need to add the port?
My Requests looks like this:
If it helps, my project is based on jhipster v7.2.0
Can you double check if you are able to use the “Default” Authorization Server I see in your authorize request? If you log into the Admin Console, can you navigate to Security → API → Authorization Servers, or is that tab missing for you?
You’ll get a CORS error if you try to hit an endpoint that does not exist, such as and oauth endpoint for a non-existent authorization server.
Yes, the default Auth server is present.
If I try the same flow via
OpenID Connect debugger
as redirect URI the flow succeeds.
So redirecting to /authorize endpoint int he browser works, but not when your spring app makes the request? Is it making it as a AJAX request then?
Any news on this topic? We are having the exact same issue…
Due to other pressing tickets, I didn’t proceed on working on it. But it is still in my Backlog. If you solve it I would appreciate an answer
It seems that in our case the problem is that the request sent by https://dev-idnumber.okta.com to our application does not contain an ‘origin’ header stating it is coming from the okta.com domain.
@andrea is it possible to add this header? if not, it will impossible to enable CORS in our application.
Please note that the issue in our case is not the okta server blocking our server’s requests (and therefore adding our server as an authorized origin in the API tab will not help) but rather the opposite : we cannot judge whether an incoming request comes from an authorized domain without the origin header.
we are also working with Spring
there is a workaround which is basically allowing all cross origin requests ( Null origin issue with SAML callback in OAuth flow | FusionAuth Forum ) which obviously has a negative impact on the application security level