Openid-configuration request blocked by CORS policy

Hello,
We recently starting seeing an issue in the console with our Okta integration on Chrome browsers. New version of Chrome and Edge do not have this issue.

'Access to XMLHttpRequest at ‘https://mycompany.okta.com/.well-known/openid-configuration’ from origin ‘mycompany.com’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

We’ve verified that the CORS policy is set correctly in Okta for our client domain. We know this is an issue with Chrome, but we’d like to avoid switching or updating our users browsers.

I’ve tried setting the issuer field in the Okta auth component, but we still are getting the error. I’m using OktaAuth 3.2.5 in our legacy Angular app. We are using the .getWithoutPrompt method on OktaAuth.

We are not seeing the CORS error on other Okta calls (authorize, etc). Is there a way to fix this or disable the call to openid-configuration for our flow?

Thanks,
Chris

1 Like

Our SDKs automatically make a CORS request to your well-known endpoint to dynamically fetch information about your authorization server’s endpoints.

You mentioned this is an issue in Chrome only. Does it only affect certain users? If so, can you try clearing your browser cache/cookies and re-testing it?

No, it affects anyone using Chrome version 87. We wiped all cache/cookies and still see the issue.

Same issue here. Just started happening yesterday to our users on Chrome only. Clearing the cache does not seem to work. Have asked them to use Edge in the meantime.

Update. Also happening on Firefox. Has been working fine for over a year.

We are also seeing this issue on Chrome version 89

Hi @ce_ryan, @ckantzer,

Could you email developers@okta.com with the details so that one of the Engineers can help you with this ?

Thanks!

I opened a ticket in Git Openid-configuration request blocked by CORS policy · Issue #679 · okta/okta-auth-js · GitHub. Does this have enough detail or do you need more info?

@ckantzer @ce_ryan Okta has identified the resolution for this issue. If you still get the cors error, please email developers@okta.com mentioning your okta org subdomain and the other details.

Are you able to post the resolution here or do we need to email the developers?

We are gathering some additional information as we are still seeing this issue as of this morning and getting reports of users who’s Chrome was working and now has stopped working this morning with the same error. Will send an email to the developers with OS versions and Chrome Versions affected.

1 Like

@ce_ryan Hi, this is an known issue, please help check the below workaround. Our ENG is currently fixing it.

The problem still persists. The solution is to click the Chrome refresh icon keeping the Shift button pressed (or cleaning the browser’s files cache). However, the problem is back within an hour or so.

We experienced this issue on Apr 6 at 1:45 pm PST for the first time. An app that worked in production for a couple of weeks without changed stopped to show the CORS error.
Chrome version is 89.

We have deployed a fix for this in all Orgs. @ce_ryan, @ckantzer, and @ssmirnov, can you re-test your application to see if this behavior persists? As this is related to caching, it may take a few days to fully resolve for your users, so definitely reach out to us again if you still see this issue occurring next week.

Note that if you opened a support case with us about this, we may have helped you test a potential workaround involving disabling some recently deployed features that were related, so your results may differ.

It looks the fix is working. Users are reporting that they are able to access our applications using Chrome.

Thanks!

1 Like

You method is also working finely in PC thanks for the incredible solution.

@ckantzer I have become a fan of you. :heart_eyes:

Thanks, but I just reported this issue. Okta did the heavy lifting and actually released a fix. I was just the squeaky wheel. :grinning: