CORS issue, trusted origins config ok

Hi,

I’m trying to update a user through the “/api/v1/users/me” endpoint. When I test I get a CORS error by my browser.

Access to fetch at ‘https://[URL].okta.com/api/v1/users/me’ from origin ‘http://localhost:8000’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

I have following settings: Under API > trusted origins I added “http://localhost:8000” with CORS enabled.

I’m sure the user is logged.
My code in short:

const handleOnClick = async () => {

const accessToken = authState.accessToken
const response = await fetch(
  `https://[URL].okta.com/api/v1/users/me`,
  {
    method: "POST",
    headers: {
      "Accept": "application/json",
      "Content-Type": "application/json",          
      "Authorization": `Bearer ${accessToken}`,
    },
    body: JSON.stringify({
      profile: {
        nickName: "testNickname",
        middleName: "testMiddleName",
      },
    }),
  }
)}

Any idea what the issue might be?

I think it maybe b/c it accepts different type of token (SSWS vs your Bearer) https://developer.okta.com/docs/reference/api/users/#update-current-user-s-profile

The “/api/v1/users/me” api is CORS enabled which I think means you can use a bearer token, correct?
I just got it to work by sending the cookie in the request with credentials: "include"
With this option it doesn’t even need any token, but I don’t know how this even works and/or if this is a security issue.

Following code works, but I don’t know why:

await fetch(
  `https://[url].okta.com/api/v1/users/me`,
  {
    method: "POST",
    cache: "no-cache",
    credentials: "include", // => includes the token in the request
    headers: {
      "Accept": "application/json",
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      profile: {
        nickName: "testNickname",
      },
    }),
  }
)

If anyone can explain this behaviour I would be grateful

Hi @kevin.v

The script, through credentials: include leverages the current active session in Okta and returns the details. If you would try this in a browser window where you don’t have a session, the /api/v1/users/me will return an invalid session error.