CORS headers for /oauth2/v1/token

nalbion · August 21, 2017, 6:39am

I’m trying to exchange an auth code for an access token in an Angular 1.5 app (without using the Okta SDK or widget).

It should be pretty straight-forward - redirect to Okta’s log in UI, receive access code and then XHR POST to /oauth2/v1/token and eventually also to the refresh endpoint.

When I send the XHR request I get a CORS error:

https://dev-123456.oktapreview.com/oauth2/v1/token. Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘https://localhost:8080’ is therefore not allowed access.

I have double-checked that our Okta subdomain is configured to add CORS headers, but the CORS headers are not provided - what’s going on?

mraible · August 23, 2017, 5:05am

I believe you need to use the default AS for this functionality, rather than your Org’s AS. Does posting to https://dev-123456.oktapreview.com/oauth2/default/v1/token. work?

beebebh · October 13, 2017, 7:04pm

Are you saying that we have no options for CORS when we use an Org AS?

Ema · September 19, 2018, 10:07pm

The default AS token URI https://xxxxxxxxx.oktapreview.com/oauth2/default/v1/token does not support CORS. Is there a way to work around that other than create a wrapper endpoint or disable CORS at browser level?

jmelberg · September 25, 2018, 4:36pm

Sorry for the late reply here all.

The /token endpoint is not CORS enabled, and therefore not intended to be accessed directly by the browser. There were few reasons why this was disabled, all centric around keeping an application secure.

Please use the Implicit Flow for the grant type.

Ema · September 25, 2018, 5:06pm

Thanks for responding and suggestion.

rozagerardo · January 31, 2019, 9:37pm

But wouldn’t an Authorization Server be expected to allow this?
According to the last OAuth specs, SPA should move to Auth Code flow with PKCE key, right? How can we accomplish the auth dance without allowing token requests from the browser?

mraible · February 19, 2019, 3:40pm

We are working on adding support for this. Unfortunately, it’s not available right now.

rbetana · April 26, 2019, 10:07am

@mraible can you share to me the status ? Thanks

dragos · April 26, 2019, 1:09pm

Hi @rbetana

The /token endpoint is now CORS enabled for Authorization code flow with PKCE since version 2019.03.2 in Okta preview and 2019.04.0 in production. You can find further details about this release here.

system · January 17, 2024, 11:26pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Getting CORS error while calling okta /v1/token api Questions	9	4246	February 8, 2024
Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response Questions cors	9	11764	February 8, 2024
CORS policy is not being applied to /oauth2/default/v1/keys Questions	3	5280	January 3, 2020
V1/token endpoint receiving CORS error Questions react	3	4369	January 11, 2022
CORS errors even when using trusted origin Questions	16	24874	September 23, 2021

CORS headers for /oauth2/v1/token

Related topics