Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response

I’ve got an API defined in Okta Workflows, and was planning on calling it from a SPA and passing in an Authorization Bearer {JWT created by a PKCE flow} to authenticate, but apparently the CORS response will not allow an authorization header?
Yes, I’ve got my origin defined in the Security/API/Trusted Origins tab. The error is not that I’m not getting an Origin header, It’s returning :

access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept

How can I get Okta to allow the authorization header, too?

@RichardP What is the API you are trying to call? Do you have a screenshot for this error?

POST https://amfament-b2e.workflows.oktapreview.com/api/flo/3327635f3d2/invoke?action=getEndpoints

It’s an API I’m building in Okta Workflows.

Access to XMLHttpRequest at ‘https://amfament-b2e.workflows.oktapreview.com/api/flo/3327635f3d2/invoke?action=getEndpoints’ from origin ‘http://localhost:4200’ has been blocked by CORS policy: Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response.

@RichardP You can take a look at the doc here and check your configuration with the steps.

Read my original request again:
Yes, I’ve got my origin defined in the Security/API/Trusted Origins tab. The error is not that I’m not getting an Origin header

It’s not responding properly to the Access-Control-Request-Headers.

Can you take a look at this thread, where I recommended having an HTTP Close card in your flow to ensure that even if your flow takes more than 60 seconds to complete, that you are responding back to Okta before the connection times out.

It never gets to send the request because it won’t allow the authorization header, so it fails in CORS pre-flight.

Hi,

I’m having the same issue. Have you fixed it ?

No, I ended up putting a piece of middleware (Layer 7 API Gateway) in front of it to resolve the issue.