I am using the Passport.js library (specifically the
passport-saml Strategy) to enable Single Sign-On for my company’s app through Okta.
The desired use case is that a user navigates to the apps landing page (locally hosted), then authenticate is checked through Passport calls to Okta. If the user is not logged into Okta, the browser will redirect them to Okta to login in. After logging in, they’ll be redirected back to my app.
CORS is enabled for all of these requests, and I believe I’ve uncovered a possible bug with CORS headers not being sent back from Okta. For reference, I have followed the steps in this tutorial to ensure that my app’s origin is registered with Okta to grant cross-origin access: https://developer.okta.com/docs/guides/enable-cors/granting-cors/
During the preflight CORS check, the browser sends the
OPTIONS request to Okta. Missing from the response is the
Access-Control-Allow-Origin header. For this reason, my browser rejects the cross-origin request with the message “Access to fetch ‘’ (redirected from ‘’) has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.”
The URI found at above originates from the same domain that I registered in my Trusted Origins section in Okta.
It seems that the Okta response to the
OPTIONS route needs to include a
Access-Control-Allow-Origin header with the origins that were registered in Trusted Origins, but it does not.
Please let me know how I can further describe my issue, if need be. Thank you!