Multiple origins with same domain but different port breaking CORS Skip to main content
https://support.okta.com/help/answers?id=9062a000000xzqnqaw&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Luke BergenLuke Bergen 

Multiple origins with same domain but different port breaking CORS

Here's my situation:
at /admin/access/api/trusted_origins I configure two origins "http://localhost:3000" and "http://localhost:8080" in that order. One is for a user interface, the other an admin interface. (I'm just testing locally for now).

Now in a browser on localhost:8080 I make the following request: fetch("https://dev-927131.oktapreview.com/oauth2/v1/keys")
=> success

Now in a browser on localhost:3000 I make the the same request: fetch("https://dev-927131.oktapreview.com/oauth2/v1/keys")
=> error: "The 'Access-Control-Allow-Origin' header has a value 'http://localhost:8080' that is not equal to the supplied origin"

If I go into okta and delete those trusted origins and then re-add them but in the opposite order ":8080" and then ":3000" such that 3000 comes first in the interface, the situation reverses.

fetch("https://dev-927131.oktapreview.com/oauth2/v1/keys") from localhost:3000 => success.
fetch("https://dev-927131.oktapreview.com/oauth2/v1/keys") from localhost:8080 => the CORS error above but with "... has a value 'http://localhost:3000'..."

It's almost like Okta doesn't differentiate hosts by port and just grabs the first one that matches the domain but then sends the actual full thing (including port) back to the browser which then chokes.

Am I messing up the configuration somewhere or is this a bug?