Origin header is missing


#1

Hi,

I’ve created an OKTA app where I have defined the login url on my service provider. When the request arrives to my service I have some general security logic on which I check the origin of the requests. I do so by check the origin header of the request. For some reason when I get the login request from OKTA the value of that header is null.

Is there some configuration controlling it? Is it a known issue? A bug?

Best,

Alon


#2

If I understand your setup correct, Okta is just issuing a standard 302 Moved Temporarily redirect for the GET request. AFAIK browsers only send an Origin header on CORS requests and POSTs which is why you are not seeing it.