I’m trying to exchange an auth code for an access token in an Angular 1.5 app (without using the Okta SDK or widget).
It should be pretty straight-forward - redirect to Okta’s log in UI, receive access code and then XHR POST to /oauth2/v1/token and eventually also to the refresh endpoint.
When I send the XHR request I get a CORS error:
https://dev-123456.oktapreview.com/oauth2/v1/token. Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘https://localhost:8080’ is therefore not allowed access.
I have double-checked that our Okta subdomain is configured to add CORS headers, but the CORS headers are not provided - what’s going on?