Okta CORS Issue? Works Incognito doesn't work outside of Incognito?


#1

Hi,

I’m hoping someone can help me figure out why I have a CORS issue for one of my urls when I’m in a chrome. The odd this is that the login works just fine when I open up an incognito browser and try the same login. See gif below for an example.

out

Here is the actual error:

I’m using the okta-auth-js library and have followed the instructions here. Code snippet for my login action is here:

export const oktaLogin = (username, password) => {
// Attempt to retrieve ID Token from Token Manager
// Example: https://developer.okta.com/code/javascript/okta_auth_sdk
return async (dispatch) => {
try {
let tokenResponse = await oktaClient.tokenManager.get(“idToken”);
let idToken, oktaId;
// Token comes back if not expired
if (tokenResponse) {
// Current token is still fine just reuse
LOGGER.info(Welcome back ${tokenResponse.claims.email});
idToken = tokenResponse[“idToken”];
oktaId = tokenResponse.claims.sub;
} else {
dispatch({ type: types.RESET_AUTH });
dispatch(auth_user_request());
// Sign user in with okta
let signIn = await oktaClient.signIn({ username, password });
// TODO: Figure out if I should be setting this sessionToken
// https://github.com/okta/okta-auth-js#sessionsetcookieandredirectsessiontoken-redirecturi
// Get idToken from okta
// oktaClient.session.setCookieAndRedirect(signIn.sessionToken)
let tokenOrTokens = await oktaClient.token.getWithoutPrompt({
sessionToken: signIn.sessionToken,
responseType: [“id_token”],
scopes: [“openid”, “email”, “profile”]
});

  		// Add token to axios
  		tokenResponse = tokenOrTokens[0];
  		idToken = tokenResponse["idToken"];
  		oktaId = tokenResponse.claims.sub;
  	}
  	axios.defaults.headers.common["Authorization"] = idToken;

  	// Get user
  	let user = await dispatch(fetchLoginByOktaId(oktaId));
  	let userId = user.user_id;

  	let response = await fetchUserAccessAndGroups(userId);
  	let routeData = processApprovedRoutes(
  		response.access,
  		response.protected
  	);

  	// Set up cookies
  	cookies.set("token", idToken, { path: "/" });
  	cookies.set("username", user.username.trim(), { path: "/" });

  	// Add token to tokenManager
  	oktaClient.tokenManager.add("idToken", tokenResponse);
  	dispatch(auth_user_success(user, routeData, response.groups));
  	dispatch(push("/"));
  	return Promise.resolve("Successfully logged in");
  } catch (err) {
  	LOGGER.error(err);
  	dispatch(auth_user_error(err));
  	return Promise.reject(err);
  }

};
};


#2

Update: This works fine on my phone as well without needing to have an incognito browser.


#3

were you doing some sort of development on your desktop? Like, accessing the keys endpoint from another origin?


#4

Thanks for the reply. Yes. I was doing dev on my local box. Tried closing all my browsers & still was getting the error without going incognito.


#5

I’m pretty sure what is happening here is the browser cached the /keys options call for CORS, and the cached value in the wrong domain. Running in incognito obviously will resolve it, but I would be willing to bet, clearing cache will do the same.

This is a known issue (code is done, should be released in the next week, unless there is any unforeseen circumstances), but shouldn’t impact any customers / clients of yours.

We are changing the caching headers so the browser doesn’t incorrectly cache for the wrong domain.

Thanks,
Tom


#6

Thanks that makes sense and yes everyone else I had log in had no issues.

To get the fix all I’ll need to do is update to the latest version of Okta Auth JS when it’s released?


#7

It is a server side fix, once we start returning the right caching headers, you may need to clear your cache one more time and that should be it!


#8

:smiley: even better. Thanks again for the support.