I am using follwing version of packages python 3.12
django 4.2.23
django-okta-auth==0.8.0
django-cors-headers==4.7.0 for my django web app.Now when I try to sign in using okta sign in widget I get Access to XMLHttpRequest at ‘https://.oktapreview.com/api/v1/authn’ from origin ‘https://hostname:4200’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource…This is just a django web app with html where django server is serving both html content and backend data…I tried all solutions like installing cors headers package and allowing all origins and spcific origins and nothing worked..please help
I am assuming that you are using the self-hosted sign-in widget (aka the embed widget). This widget is running in the browser (not the Django app) and requires CORS to talk to the authentication API at your Okta tenant.
Go to “Security → API”, click on the “Trusted Origins” tab an make sure you have CORS enabled for your URL:
This is not a problem on the Django side, Okta is not adding the Access-Control-Allow-Origin header for the API call the widget is making.
NOTE: self-hosting the widget will lead to complications where SSO does not work with other applications that are also trusting your Okta tenant. The user is not visiting Okta and the Okta session cookie is not set. It is much better to use Okta-hosted login, and there are no security issues with that. In fact, there are other security issues with the self-hosted widget, among them that the user password is now available to the application if it scrounges for it.
