Background: I am attempting to implement Okta Authentication into an existing application (C#, Web API).
For a starting point, I looked for an example and ran:
The example worked fine. It runs on http://localhost:8080 and I entered into the web.config entered my Okta client id, secret, Redirect URI, etc…
I see an Authorization call to Okta is done once and it is an HTTP GET. All good.
Question #1: Even though it worked, why did I not have to enter http://localhost:8080 into the ‘Trusted Origins’ section which would I thought would of been needed to hit the Okta Authorization server?
My app runs locally on https://localhost.mycompany.dev:44300
My hosts file allows my this to resolve (127.0.0.1 localhost.mycompany.dev)
Taking the Authentication code from what I learned in the example project, it WORKS for a while, and then stops working.
If I run in incognito, it never does and I get the following error. Also, after a while (still nailing down timing) it begins to not run in non-incognito mode.
In failing scenarios, I see the authorization call its an HTTP OPTIONS (what all of sudden triggers this?)
I get the following error when this call is made.
Failed to load https://dev-495115.oktapreview.com/oauth2/default/v1/authorize?client_id=0oaiyft8whiLA1p6K0h7&redirect_uri=https%3a%2f%2flocalhost.mycompany.dev%3a44300%2fauthorization-code%2fcallback&response_mode=form_post&response_type=code+id_token&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties%3dnOUIEgy3XmOXGViF5IT7qrPWDqu1YI8YhDViRrmlNUsL2CvcC-Vr8jUPAaOUv2e_I2qphvt8a6nvuH_z6KyDn8UzAUFeTtnpaWFtjDpZHqWx2gELsE1VW45EO75NUg7e9TqBUJdbiyMCCkAqDvyJDGsGEXZ95YweQHOtD86zUBjsVMygAKQb8wJWJNkg8xjEQvBm4VD0kBS1RpdCb0xH7q5iadiTlNfcgsFuE98so0w8XZJRFV-9f4f8AhyuSsg2Nof7k5hXkI1JnFAnVdVJJRUZx5QFNhYzYGt8p2N9llHHIKzQXM--F-eYCp6CA8PG&nonce=636831601581659817.YmRjNmVmY2ItNWVmZS00MzBiLTg4MWItNWJhMTc5OWI4OWVjZWVkODdjNjAtNDEzNC00ODNiLTlmMDUtMTI1MGEyNDMxMzUy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://localhost.mycompany.dev:44300' is therefore not allowed access.
In the Okta Admin for my Authorization server, in an attempt to fix I added the following trusted origins:
Question #2: Simply looking for insight into why my custom app isn’t behaving as expected. Why is its authrorization call sometimes an OPTIONS call where Okta is not responding with the ‘Access-Control-Allow-Origin’ that I’m expecting. I believe I’ve added the proper trusted origins.
Again note, I was running my app for a while. I could see Okta claims, etc… Thank you for taking the time to help!