Origin header is missing


I’ve created an OKTA app where I have defined the login url on my service provider. When the request arrives to my service I have some general security logic on which I check the origin of the requests. I do so by check the origin header of the request. For some reason when I get the login request from OKTA the value of that header is null.

Is there some configuration controlling it? Is it a known issue? A bug?



If I understand your setup correct, Okta is just issuing a standard 302 Moved Temporarily redirect for the GET request. AFAIK browsers only send an Origin header on CORS requests and POSTs which is why you are not seeing it.