Issue with okta_post_message responce mode giving error

we are seeing issue with okta_post_message response mode . the URL works fine with query.

we re using custom domain in our org. issuer also set to https://org.abc.com.

Both redirect url also in same domain.

Below is the URL we are trying on browser and it get struck on the browser not going anywhere.

https://org.abc.com/oauth2/v1/authorize?client_id=XXXXXXXXcode_challenge=V-HHH-gYyfW0D_KlHs11Jp8I50Gg2Oc-ZRPPhiuJKhc&code_challenge_method=S256&nonce=SM97kDTYgx6iseSzqirXgcBo0nLXsGvUVWUy4klxban0l8galyb5Da3ZhiCJxjCc&prompt=none&redirect_uri=https://xyz.abc.com&response_mode=okta_post_message&response_type=code&state=1sgy4hDgcB6Bl6rOhDvsbMDpF3Dgqw3BBS2uh2KGA86oMs3vDMwLM6TTeeBLcFs6&scope=openid profile

Below is the error showing in developer tool.

Failed to execute ‘postMessage’ on ‘DOMWindow’: The target origin provided (‘https://xyz.abc.com’) does not match the recipient window’s origin https://org.abc.com

Did any one faced similar. Please let me know why it’s not working with okta_post_message .

When using okta_post_message, t is expected/required that the domain making the /authorize redirect should match the one that will receive the authorization code, aka the redirect_uri, see our docs for reference:

okta_post_message is an adaptation of the Web Message Response Mode (opens new window). This value provides a secure way for a single-page application to perform a sign-in flow in a pop-up window or an iFrame and receive the ID token, access token, and/or authorization code back in the parent page without leaving the context of that page. The data object for the postMessage call is in the next section.

Note: The value of the targetOrigin parameter for postMessage() specifies what the origin of parentWindow must be for the event to be dispatched (this is enforced by the browser). The okta_post_message response mode always uses the origin from the redirect_uri specified by the client. This is crucial to prevent the sensitive token data from being exposed to a malicious site.