CORS issue on Browser during redirect request


Any suggestions on how to resolve CORS issue in my case, detailed below:

  • grant type autorisation_code, redirect mode
  • This redirect request has to be presented by JS and not by user-agent/browser according to our requirements.
  • Front end react
  • Back end spring boot
  • Both of above deployed as docker containers behind NGINX API gw with a public DNS provided by Amazon EC2
  • Security->API->Trusted origin updated with above URL
  • Front end sends (fetch) to /authorize API with HTTP origin containing above URL
  • Response from OKTA doesn’t contain the access-control-allow-origin header
  • However, no CORS error reported if front end fetches from “

Actual error on browser:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200


Hi Balaji,

Okta does not set CORs headers for the /authorize endpoint and requires a user-agent redirect for browser clients.
See here.

Note: When making requests to the /authorize endpoint, the browser (user agent) should be redirected to the endpoint. You can’t use AJAX with this endpoint.

Thank You,

1 Like

Hi Erik,
Many thanks for your response.
I have come across your suggestion in an earlier post, hence mentioned our requirement that the redirect has to be presented from AJAX and not browser.
However I have worked around this by redirecting to our NGINX API gateway but facing a 403.
More details here - 403 error returned on hitting /login/token/redirect


Related to this, if there are intentionally no CORS headers what is the procedure for using the prompt=none parameter?

Presumably it’s intended to be used for silent token renewal (from script), so how is a client meant to obtain the (redirection) response - containing the code, or the error response - that will tell it that the user is going to need to be prompted to re-authenticate?