I’m trying to exchange an auth code for an access token in an Angular 1.5 app (without using the Okta SDK or widget). It should be pretty straight-forward - redirect to Okta’s log in UI, receive access code and then XHR POST to /oauth2/v1/token and eventually also to the refresh endpoint. When I s…

Hi @rbetana The /token endpoint is now CORS enabled for Authorization code flow with PKCE since version 2019.03.2 in Okta preview and 2019.04.0 in production. You can find further details about this release here .

I believe you need to use the default AS for this functionality, rather than your Org’s AS. Does posting to https://dev-123456.oktapreview.com/oauth2/default/v1/token. work?

Are you saying that we have no options for CORS when we use an Org AS?

The default AS token URI https://xxxxxxxxx.oktapreview.com/oauth2/default/v1/token does not support CORS. Is there a way to work around that other than create a wrapper endpoint or disable CORS at browser level?

Sorry for the late reply here all. The /token endpoint is not CORS enabled, and therefore not intended to be accessed directly by the browser. There were few reasons why this was disabled, all centric around keeping an application secure. Please use the Implicit Flow for the grant type.

But wouldn’t an Authorization Server be expected to allow this? According to the last OAuth specs, SPA should move to Auth Code flow with PKCE key, right? How can we accomplish the auth dance without allowing token requests from the browser?

We are working on adding support for this. Unfortunately, it’s not available right now.

@mraible can you share to me the status ? Thanks

CORS headers for /oauth2/v1/token

Questions

Ema September 25, 2018, 5:06pm 6

Thanks for responding and suggestion.

Post		Replies	Views
Getting CORS error while calling okta /v1/token api Questions	8	4483	August 17, 2021
V1/token endpoint receiving CORS error Questions react	2	4449	January 11, 2022
CORS error on Okta authorize api end point from frontend API	4	4265	May 4, 2022
Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response Questions cors	8	12283	October 21, 2021
CORS error with the users API Questions	2	3339	December 28, 2020

CORS headers for /oauth2/v1/token

Related topics