How to provide unauthenticated route

Questions OAuth/OIDC
, ,
1

I’m developing Springboot and React web application secured by Okta. All the react web pages are now behind Okta security.
Now I want a public web page (https://my.example.com/welcome) that all the users can visit regardless of security. I have permitted the route in the Spring security config. When I visit to /welcome route, the browser is giving below warning message and web page is blank

Cross-Origin Read Blocking (CORB) blocked cross-origin response https://xxxxxxx.okta.com/oauth2/default/v1/authorize?response_type=code&client_id=xxxxxxxxx&scope=profile%20email%20openid&state=rDYLqV7WDv2la1onSvQsTNeXCvDmWhS0_ZoPFlMAE80%3D&redirect_uri=https://xxxxxx.xxxxx.com/careportal/login/callback&nonce=XvMoC5iP5OGYsvG0bS-QfQh1yfYmhNohmD7GvfukyCo with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.

How can I provide access to the /welcome page without authentication?

okta:
  oauth2:
    issuer: https://xxxxxxxxx.okta.com/oauth2/default
    clientId: xxxxxxxxxxxxxx
    clientSecret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    post-logout-redirect-uri: /
    redirect-uri: /login/callback

httpSecurity.authorizeRequests()
                .antMatchers("/",  "/welcome").permitAll()
                .anyRequest().authenticated()
                .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .and().oauth2Client()
                .and().oauth2Login();
        return httpSecurity.build();
2

Does this guide about how to require auth for only specific routes help? Sign users in to your web app using the redirect model | Okta Developer

3

I have done according to that. But this /welcome route is not rendering. I’m getting this warning in Chrome

Cross-Origin Read Blocking (CORB) blocked cross-origin response https://xxxxxxx.okta.com/oauth2/default/v1/authorize?response_type=code&client_id=xxxxxxxxx&scope=profile%20email%20openid&state=rDYLqV7WDv2la1onSvQsTNeXCvDmWhS0_ZoPFlMAE80%3D&redirect_uri=https://xxxxxx.xxxxx.com/careportal/login/callback&nonce=XvMoC5iP5OGYsvG0bS-QfQh1yfYmhNohmD7GvfukyCo with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.
4

The /authorize endpoint does not support CORS. You must redirect to this route, as mentioned in our docs.