CORS headers for /oauth2/v1/token


#1

I’m trying to exchange an auth code for an access token in an Angular 1.5 app (without using the Okta SDK or widget).

It should be pretty straight-forward - redirect to Okta’s log in UI, receive access code and then XHR POST to /oauth2/v1/token and eventually also to the refresh endpoint.

When I send the XHR request I get a CORS error:

https://dev-123456.oktapreview.com/oauth2/v1/token. Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘https://localhost:8080’ is therefore not allowed access.

I have double-checked that our Okta subdomain is configured to add CORS headers, but the CORS headers are not provided - what’s going on?


#2

I believe you need to use the default AS for this functionality, rather than your Org’s AS. Does posting to https://dev-123456.oktapreview.com/oauth2/default/v1/token. work?


#3

Are you saying that we have no options for CORS when we use an Org AS?


#4

The default AS token URI https://xxxxxxxxx.oktapreview.com/oauth2/default/v1/token does not support CORS. Is there a way to work around that other than create a wrapper endpoint or disable CORS at browser level?


#5

Sorry for the late reply here all.

The /token endpoint is not CORS enabled, and therefore not intended to be accessed directly by the browser. There were few reasons why this was disabled, all centric around keeping an application secure.

Please use the Implicit Flow for the grant type.


#6

Thanks for responding and suggestion.


#7

But wouldn’t an Authorization Server be expected to allow this?
According to the last OAuth specs, SPA should move to Auth Code flow with PKCE key, right? How can we accomplish the auth dance without allowing token requests from the browser?


#8

We are working on adding support for this. Unfortunately, it’s not available right now.