CORS headers for /oauth2/v1/token

nalbion · August 21, 2017, 6:39am

I’m trying to exchange an auth code for an access token in an Angular 1.5 app (without using the Okta SDK or widget).

It should be pretty straight-forward - redirect to Okta’s log in UI, receive access code and then XHR POST to /oauth2/v1/token and eventually also to the refresh endpoint.

When I send the XHR request I get a CORS error:

https://dev-123456.oktapreview.com/oauth2/v1/token. Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘https://localhost:8080’ is therefore not allowed access.

I have double-checked that our Okta subdomain is configured to add CORS headers, but the CORS headers are not provided - what’s going on?

mraible · August 23, 2017, 5:05am

I believe you need to use the default AS for this functionality, rather than your Org’s AS. Does posting to https://dev-123456.oktapreview.com/oauth2/default/v1/token. work?

beebebh · October 13, 2017, 7:04pm

Are you saying that we have no options for CORS when we use an Org AS?

Ema · September 19, 2018, 10:07pm

The default AS token URI https://xxxxxxxxx.oktapreview.com/oauth2/default/v1/token does not support CORS. Is there a way to work around that other than create a wrapper endpoint or disable CORS at browser level?

jmelberg · September 25, 2018, 4:36pm

Sorry for the late reply here all.

The /token endpoint is not CORS enabled, and therefore not intended to be accessed directly by the browser. There were few reasons why this was disabled, all centric around keeping an application secure.

Please use the Implicit Flow for the grant type.

Ema · September 25, 2018, 5:06pm

Thanks for responding and suggestion.

rozagerardo · January 31, 2019, 9:37pm

But wouldn’t an Authorization Server be expected to allow this?
According to the last OAuth specs, SPA should move to Auth Code flow with PKCE key, right? How can we accomplish the auth dance without allowing token requests from the browser?

mraible · February 19, 2019, 3:40pm

We are working on adding support for this. Unfortunately, it’s not available right now.

rbetana · April 26, 2019, 10:07am

@mraible can you share to me the status ? Thanks

dragos · April 26, 2019, 1:09pm

Hi @rbetana

The /token endpoint is now CORS enabled for Authorization code flow with PKCE since version 2019.03.2 in Okta preview and 2019.04.0 in production. You can find further details about this release here.

system · January 17, 2024, 11:26pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.