A Cross-Origin Resource Sharing (CORS) policy error occurs during user authentication because the redirect Uniform Resource Identifier (URI) or origin URL is missing from the Trusted Origins configuration. Adding the missing URLs to the Trusted Origins settings resolves this issue.
When authenticating users through Okta, the following error occurs:
Access to XMLHttpRequest at 'https://<subdomain>.okta.com/api/v1/authn' from origin 'http://<s3-website.amazonaws.com>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Cross-Origin Resource Sharing (CORS)
The redirect Uniform Resource Identifier (URI) or the origin URL from Amazon Simple Storage Service (S3) is missing from the Trusted Origins configuration in the Admin Console.
NOTE: In a production configuration, hosting the sign-in widget on a non-localhost domain is recommended.
How is the issue of access to XMLHttpRequest being blocked by CORS resolved?
Add the missing origin URL and redirect URL to the Trusted Origins configuration in the Okta Admin Console to resolve the error.
- Go to Security > API > Trusted Origins.
- Select Add Origin to add both the origin URL and the redirect URL.
