CORS policy is not being applied to /oauth2/default/v1/keys

Hello all,

I am pretty new to using Okta and perhaps I am missing something. I’ve used Okta example for vue and implemented a very simple application that is supposed to authenticate with Okta. I am sure that I have seen it working a few days back.

However, today when I tried to do the authentication I started to receive following message in console:

Access to XMLHttpRequest at ‘https://******’ from origin ‘http://localhost:8080’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

My trusted origins are set. And token POST request returns proper Access-Control… however, GET keys is missing the whole header.

Does anybody else having same issues?


Hi @vladimirm

If you access the endpoint /oauth2/default/v1/keys in the browser, do you receive a 200 response with the signing keys?

Also, if you run this example, does it display the signing keys?

var url = '';
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {
    xhr.onerror = function() {
      console.log('Invalid URL or Cross-Origin Request Blocked.  You must explicitly add this site (' + window.location.origin + ') to the list of allowed websites in the administrator UI');
    xhr.onload = function() {
    };'GET', url, true);
} else {
    console.log("CORS is not supported for this browser!")

Hello @dragos,

Thanks for answering. Yes I was receiving a 200 response. However, after your response I went again to check the console and noticed that for some reason keys are being served from the cache. Clearing the browser cache resolved the problem.


1 Like