Security Image not working in Okta's Angular Sign in widget


#1

Steps to reproduce:

  1. Go to the hosted live-widget demo.
  2. Add the feature flag securityImage: true.
  3. Replace the baseUrl and clientId with your instances values.
  4. Inspect Console.
  5. Enter valid email into widget.
  6. You should get the following CORS error for the getImage request:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://dev-439852.oktapreview.com/login/getimage?username=matthew.ettler@slalom.com. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

When I embed the Angular example, and add my domain as a trusted orgin, I still get this issue.
As far as I can tell this is a bug, but it’s very possible I’ve missed something.

Any eyes on this would be greatly appreciated as I am currently developing a solution that relies on this functionality, Thanks for your time!


#2

Well, in your steps to reproduce, I think you’ll need to add developer.okta.com to your trusted origin for the demo to work correctly without a CORS error. For your own example, make sure that when you add your personal domain to your trusted origin list that the “Type” includes CORS.


#3

I can confirm that still does not work (widget version 2.11), with an hosted signin widget.
Added personal domain to the “Trusted origin” and selected CORS on type, but still getting

"Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."

It will be nice to make this work; when the users activate their accounts they need to select a security image, but they never see it in any place and so questions arises.

Any followup on this by the Team?

Thank you all for your time.


#4

I tried tinkering with the trusted origin configurations, and I could get it working for everything other than the security image.

Unfortunately I did recently hear back from one of my Okta connections who informed me that you shouldn’t actually be able to do this yet…

Seems odd to me since it’s in the docs, but guess sometimes that just happens. Would love to know an ETA on this feature though.