My team and I are in the process of some long-delayed upgrades to a web application we’ve inherited. One of those upgrades is to the Okta Auth API. It’s a Typescript app on top of an enterprise library built on React and Express JS. We’re using Okta’s AuthJS library to talk to Okta.
The upgrade is mostly complete. Unfortunately, we now have a CORS problem in Safari that is breaking the login process.
Our login process has several steps between accepting login credentials before creating a local logged in session. After passing a correct MFA response to Okta, it proceeds to create the local session. The first step is to find the user information, which is a call to authJS’s getUser() call. The path it is calling is /oauth2/v1/userinfo on our Okta tenancy. But this fails in Safari (and only Safari) with a CORS error.
And that’s where I’m stuck. Safari is not telling me enough about what’s wrong to know what to fix.