Does the new device/authorize API support CORS?

jschlarb · September 16, 2021, 7:23pm

We’ve configured an application and an Okta integration to support the device authorization grant, as described here.

I added 2 Trusted Origins for our servers, which are https://www.spsandiford.work/ and http://10.0.0.67:8080. However, we are getting this CORS error when POSTing to the device/authorize endpoint:
“No Access-Control-Allow-Origin header is present on the requested resource”.

We confirmed that this CORS is header is sent for other APIs, for example oauth/…/token.

While researching this problem, I found the following information:

"The Okta API supports CORS on an API by API basis. If you’re building an application that needs CORS, please check that the specific operation supports CORS for your use case. APIs that support CORS are marked with the following icon: CORS. "

Since this is a new API that is not formally documented yet, I can’t see whether CORS is supported for this API. Please advise whether CORS is supported. We will need CORS for our application to work.

Lijia · September 16, 2021, 9:15pm

@jschlarb Hi, the info you got here is correct.
“APIs that support CORS are marked with the following icon: CORS”
For example, the below API is marked with “CORS”, it should support CORS.
https://developer.okta.com/docs/reference/api/users/#get-user
For the API you do not see it marked with icon “CORS”, it should not support.

jschlarb · September 17, 2021, 2:39pm

Thanks for the quick reply. I realize that the device authorization was intended for native applications, and that may be why CORS is not supported. We have a device that uses an embedded browser, but doesn’t have a keyboard. Is it possible that this new feature could be expanded later to support devices with an embedded browser?