while using Okta Developer setup, everything works 100% ok.
my company supports many existing implementations. this is just a new app I created. I am trying to figure out if the issue is on my side (client) or okta configuration side.
when I start porting to my internal company Okta, I keep getting this error even though i’ve verified all the CORS settings:
AuthApiError
Access to XMLHttpRequest at 'https://mycompany.okta.com/oauth2/xxxxxx/v1/keys' from origin 'https://mywebsite-dev.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
however:
my CORS (Trusted Origins) is setup for https://mywebsite-dev.com
i can see the xhr OPTIONS call to https://mycompany.okta.com/oauth2/xxxxxx/v1/keys come back with Access-Control-Allow-Origin: https://mywebsite-dev.com - I compared side by side with working developer Okta, and see all the same headers
in my browser XHR calls i see this after logging in: response success {user: {…}, type: "SESSION_SSO", session: {…}, status: "SUCCESS"}
okta log shows successful logins.
is there maybe a way to gete a more verbose log on what happened?
ah, sorry i should have added that my company supports many existing implementations. this is just a new app I created. I am trying to figure out if the issue is on my side (client) or okta configuration side. from their perspective its a very similar setup so they believe its correct. i’m looking for more troubleshooting ideas to confirm the issue… maybe some verbose log ??
In both requests I am using the SSWS token the same way and build up the requests with axios the same way, too. I have already set up the trusted origins, otherwise the first request would also not go through. So I am lost now.
Can anybody help here?
Here is the requests that is not working, copied from browser:
I’m surprised the first endpoint is working for you, as neither of these calls indicate they are CORS enabled, unlike, say Get Current User, /api/v1/users/me, which can work based on the session cookie in the user’s browser: https://developer.okta.com/docs/reference/api/users/#get-user
Additionally, in terms of security, it is not a good idea to be making calls with an API key via the front end of your application. If your application does not have a back-end, you may want to look into using the /authn endpoint as the Change Password request for it does not require an API key: https://developer.okta.com/docs/reference/api/authn/#request-example-for-change-password