CORS issue on Browser during redirect request

Questions OAuth/OIDC
1

Team,

Any suggestions on how to resolve CORS issue in my case, detailed below:

  • grant type autorisation_code, redirect mode
  • This redirect request has to be presented by JS and not by user-agent/browser according to our requirements.
  • Front end react
  • Back end spring boot
  • Both of above deployed as docker containers behind NGINX API gw with a public DNS provided by Amazon EC2
  • Security->API->Trusted origin updated with above URL
  • Front end sends (fetch) to /authorize API with HTTP origin containing above URL
  • Response from OKTA doesn’t contain the access-control-allow-origin header
  • However, no CORS error reported if front end fetches from “https://dev-masked.okta.com/api/v1/users/me

Actual error on browser:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://dev-masked.okta.com/oauth2/v1/authorize?response_type=code&client_id=masked&scope=openid%20profile%20email&state=masked&redirect_uri=https://.us-west-2.compute.amazonaws.com/authorization-code/callback&nonce=fGLC3z93VS8gtEiWExlw_bGD1gxm5a5BGGtaSyhwc80. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200

Thanks,
Balaji.G

2

Hi Balaji,

Okta does not set CORs headers for the /authorize endpoint and requires a user-agent redirect for browser clients.
See here.

Note: When making requests to the /authorize endpoint, the browser (user agent) should be redirected to the endpoint. You can’t use AJAX with this endpoint.

Thank You,

1 Like
3

Hi Erik,
Many thanks for your response.
I have come across your suggestion in an earlier post, hence mentioned our requirement that the redirect has to be presented from AJAX and not browser.
However I have worked around this by redirecting to our NGINX API gateway but facing a 403.
More details here - 403 error returned on hitting /login/token/redirect

Thanks,
Balaji.G

4

Related to this, if there are intentionally no CORS headers what is the procedure for using the prompt=none parameter?

Presumably it’s intended to be used for silent token renewal (from script), so how is a client meant to obtain the (redirection) response - containing the code, or the error response - that will tell it that the user is going to need to be prompted to re-authenticate?