Okta CORS Issue? Works Incognito doesn't work outside of Incognito?


I’m hoping someone can help me figure out why I have a CORS issue for one of my urls when I’m in a chrome. The odd this is that the login works just fine when I open up an incognito browser and try the same login. See gif below for an example.


Here is the actual error:

I’m using the okta-auth-js library and have followed the instructions here. Code snippet for my login action is here:

export const oktaLogin = (username, password) => {
// Attempt to retrieve ID Token from Token Manager
// Example: https://developer.okta.com/code/javascript/okta_auth_sdk
return async (dispatch) => {
try {
let tokenResponse = await oktaClient.tokenManager.get(“idToken”);
let idToken, oktaId;
// Token comes back if not expired
if (tokenResponse) {
// Current token is still fine just reuse
LOGGER.info(Welcome back ${tokenResponse.claims.email});
idToken = tokenResponse[“idToken”];
oktaId = tokenResponse.claims.sub;
} else {
dispatch({ type: types.RESET_AUTH });
// Sign user in with okta
let signIn = await oktaClient.signIn({ username, password });
// TODO: Figure out if I should be setting this sessionToken
// https://github.com/okta/okta-auth-js#sessionsetcookieandredirectsessiontoken-redirecturi
// Get idToken from okta
// oktaClient.session.setCookieAndRedirect(signIn.sessionToken)
let tokenOrTokens = await oktaClient.token.getWithoutPrompt({
sessionToken: signIn.sessionToken,
responseType: [“id_token”],
scopes: [“openid”, “email”, “profile”]

  		// Add token to axios
  		tokenResponse = tokenOrTokens[0];
  		idToken = tokenResponse["idToken"];
  		oktaId = tokenResponse.claims.sub;
  	axios.defaults.headers.common["Authorization"] = idToken;

  	// Get user
  	let user = await dispatch(fetchLoginByOktaId(oktaId));
  	let userId = user.user_id;

  	let response = await fetchUserAccessAndGroups(userId);
  	let routeData = processApprovedRoutes(

  	// Set up cookies
  	cookies.set("token", idToken, { path: "/" });
  	cookies.set("username", user.username.trim(), { path: "/" });

  	// Add token to tokenManager
  	oktaClient.tokenManager.add("idToken", tokenResponse);
  	dispatch(auth_user_success(user, routeData, response.groups));
  	return Promise.resolve("Successfully logged in");
  } catch (err) {
  	return Promise.reject(err);


Update: This works fine on my phone as well without needing to have an incognito browser.

were you doing some sort of development on your desktop? Like, accessing the keys endpoint from another origin?

Thanks for the reply. Yes. I was doing dev on my local box. Tried closing all my browsers & still was getting the error without going incognito.

I’m pretty sure what is happening here is the browser cached the /keys options call for CORS, and the cached value in the wrong domain. Running in incognito obviously will resolve it, but I would be willing to bet, clearing cache will do the same.

This is a known issue (code is done, should be released in the next week, unless there is any unforeseen circumstances), but shouldn’t impact any customers / clients of yours.

We are changing the caching headers so the browser doesn’t incorrectly cache for the wrong domain.


Thanks that makes sense and yes everyone else I had log in had no issues.

To get the fix all I’ll need to do is update to the latest version of Okta Auth JS when it’s released?

It is a server side fix, once we start returning the right caching headers, you may need to clear your cache one more time and that should be it!

:smiley: even better. Thanks again for the support.