CORS error on redirect after authentication in authorization code flow

My spring backend reacts with an error message

Invalid cors request

my logfiles show the following message

DEBUG 1351556 — [XNIO-1 task-1] o.s.web.cors.DefaultCorsProcessor : Reject: ‘null’ origin is not allowed

my cors policy should allow the okta domain:

cors:
allowed-origins: ‘…,https://okta-custom-domain,https://okta-domain.okta.com
allowed-methods: ‘
allowed-headers: '

exposed-headers: ‘Authorization,Link,X-Total-Count’
allow-credentials: true
max-age: 1800

when trying the same code flow with oidcdebugger.com as redirect_uri the flow succeeds.

Any hint?

We probably need some more context. How is the backend configured? How or what front-end client code is making the requests for authentication and authorization?

If you are loading something from the file system, you will have a null origin.

Hi @franSim! Can you confirm you have configured CORS correctly per Access Denied Error while authorizing · Issue #135 · okta/okta-spring-boot · GitHub?

Hey @sigama ,
thank you for responding.

As far as I can see, CORS is configured correctly. I also allow CORS Requests from other domains, where everything is working correctly.
My Spring configuration allows

allowed-origins: ‘…,https://okta-custom-domain ,https://okta-domain.okta.com

Maybe I need to add the port?

My Requests looks like this:

https://custom-okta-domain.com/oauth2/default/v1/authorize?client_id=myclientid&redirect_uri=https://my.domain.de/callback&scope=openid%20profile%20email&response_type=token&response_mode=form_post&state=state&nonce=zdt7tpbxdz

If it helps, my project is based on jhipster v7.2.0

Can you double check if you are able to use the “Default” Authorization Server I see in your authorize request? If you log into the Admin Console, can you navigate to Security → API → Authorization Servers, or is that tab missing for you?

You’ll get a CORS error if you try to hit an endpoint that does not exist, such as and oauth endpoint for a non-existent authorization server.

Yes, the default Auth server is present.

If I try the same flow via

OpenID Connect debugger

as redirect URI the flow succeeds.

So redirecting to /authorize endpoint int he browser works, but not when your spring app makes the request? Is it making it as a AJAX request then?

Any news on this topic? We are having the exact same issue…

Due to other pressing tickets, I didn’t proceed on working on it. But it is still in my Backlog. If you solve it I would appreciate an answer :slight_smile:

It seems that in our case the problem is that the request sent by https://dev-idnumber.okta.com to our application does not contain an ‘origin’ header stating it is coming from the okta.com domain.
@andrea is it possible to add this header? if not, it will impossible to enable CORS in our application.

Please note that the issue in our case is not the okta server blocking our server’s requests (and therefore adding our server as an authorized origin in the API tab will not help) but rather the opposite : we cannot judge whether an incoming request comes from an authorized domain without the origin header.

we are also working with Spring

there is a workaround which is basically allowing all cross origin requests ( Null origin issue with SAML callback in OAuth flow | FusionAuth Forum ) which obviously has a negative impact on the application security level