CORS error on redirect after authentication in authorization code flow

My spring backend reacts with an error message

Invalid cors request

my logfiles show the following message

DEBUG 1351556 — [XNIO-1 task-1] o.s.web.cors.DefaultCorsProcessor : Reject: ‘null’ origin is not allowed

my cors policy should allow the okta domain:

cors:
allowed-origins: ‘…,https://okta-custom-domain,https://okta-domain.okta.com
allowed-methods: ‘
allowed-headers: '

exposed-headers: ‘Authorization,Link,X-Total-Count’
allow-credentials: true
max-age: 1800

when trying the same code flow with oidcdebugger.com as redirect_uri the flow succeeds.

Any hint?

We probably need some more context. How is the backend configured? How or what front-end client code is making the requests for authentication and authorization?

If you are loading something from the file system, you will have a null origin.

Hi @franSim! Can you confirm you have configured CORS correctly per Access Denied Error while authorizing · Issue #135 · okta/okta-spring-boot · GitHub?

Hey @sigama ,
thank you for responding.

As far as I can see, CORS is configured correctly. I also allow CORS Requests from other domains, where everything is working correctly.
My Spring configuration allows

allowed-origins: ‘…,https://okta-custom-domain ,https://okta-domain.okta.com

Maybe I need to add the port?

My Requests looks like this:

https://custom-okta-domain.com/oauth2/default/v1/authorize?client_id=myclientid&redirect_uri=https://my.domain.de/callback&scope=openid%20profile%20email&response_type=token&response_mode=form_post&state=state&nonce=zdt7tpbxdz

If it helps, my project is based on jhipster v7.2.0

Can you double check if you are able to use the “Default” Authorization Server I see in your authorize request? If you log into the Admin Console, can you navigate to Security → API → Authorization Servers, or is that tab missing for you?

You’ll get a CORS error if you try to hit an endpoint that does not exist, such as and oauth endpoint for a non-existent authorization server.

Yes, the default Auth server is present.

If I try the same flow via

OpenID Connect debugger

as redirect URI the flow succeeds.

So redirecting to /authorize endpoint int he browser works, but not when your spring app makes the request? Is it making it as a AJAX request then?