Okta - the /authorize endoint blocked by CORS

I have an ASP.NET web application with target framework .Net Framework 4.7.2

  • Backend is WebAPI.
  • Frontend is Aurelia framework

I successfully integrated Okta in this web app.

My Okta config:

  • OIDC - OpenID Connect
  • Web application
  • Grant type: Authorization code, Implicit (hybrid), Allow ID token with implicit grant type.

Users can authenticate through Okta and sign out. I tested all kind of scenario and everything is working well. But I noticed one problem: if the web app is idle for about one hour (I mean no activity at all), this is like if the authentication has expired. At that moment there is a call to the /authorize endpoint. Unfortunately this call is blocked by CORS.

  • I added a rule in the ‘Trusted Origins’ on the Okta portal.
  • I allowed CORS in my web app.

As you can see in the console below, Access to fetch at … from origin … has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

As you can see below:

  • A: after one hour of inactivity, the first call of the user is blocked. With a status code 302 (redirect)
  • B: immediately after there is a call on the /authorize endpoint which failed because of CORS.

I have 2 cookies: ASP.NET_SessionId and .AspNet.Cookies

Below the code in my Startup.cs

app.UseCookieAuthentication(new CookieAuthenticationOptions());

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
    ClientId = clientId,
    ClientSecret = clientSecret,
    Authority = authority,
    RedirectUri = redirectUri,
    ResponseType = OpenIdConnectResponseType.CodeIdToken,
    Scope = "offline_access openid email profile", //OpenIdConnectScope.OpenIdProfile,
    PostLogoutRedirectUri = postLogoutRedirectUri,
    TokenValidationParameters = new TokenValidationParameters
        NameClaimType = "preferred_username"
    Notifications = new OpenIdConnectAuthenticationNotifications
        AuthorizationCodeReceived = async notif =>
        RedirectToIdentityProvider = notif =>
        AuthenticationFailed = notif => 


I found another similar thread where someone says “It seems that you make the request to /authorize in your client-side Javascript code, via fetch, but you must instead load this URL in the browser. Then the redirection will also happen in the browser.” The problem seems identical to mine because this is a fetch in my case as well. If I manually copy/paste this /authorize call inside another tab, it works, the user is again authenticated.

So my question is to know what’s wrong with that ? Why the /authorize call is blocked ? Why CORS headers are not present on this call ? This is my first time with Okta so maybe I do something wrong.

The /authorize call requires a user-agent redirect. Okta will not set access control headers for this endpoint even if your trusted origins is setup correctly.
From here,
Note: When making requests to the /authorize endpoint, the browser (user agent) should be redirected to the endpoint. You can’t use AJAX with this endpoint.


Thanks for the clarification. There is still something that I do not understand. How is it that after 1 hour of inactivity (web site still open in the browser but no activity) when the user come back to work he is no longer authenticated. Conversely, if the user is active on the site (for hours), the user remains well authenticated. I seem to have noticed this while testing.