Access to XMLHttpRequest Has Been Blocked by CORS Policy Error During Okta User Authentication
Last Updated:
Overview
A Cross-Origin Resource Sharing (CORS) policy error occurs during user authentication because the redirect Uniform Resource Identifier (URI) or origin URL is missing from the Trusted Origins configuration. Adding the missing URLs to the Trusted Origins settings resolves this issue.
When authenticating users through Okta, the following error occurs:
Access to XMLHttpRequest at 'https://<subdomain>.okta.com/api/v1/authn' from origin 'http://<s3-website.amazonaws.com>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Cross-Origin Resource Sharing (CORS)
Cause
The redirect Uniform Resource Identifier (URI) or the origin URL from Amazon Simple Storage Service (S3) is missing from the Trusted Origins configuration in the Admin Console.
NOTE: In a production configuration, hosting the sign-in widget on a non-localhost domain is recommended.
Solution
How is the issue of access to XMLHttpRequest being blocked by CORS resolved?
Add the missing origin URL and redirect URL to the Trusted Origins configuration in the Okta Admin Console to resolve the error.
- Go to Security > API > Trusted Origins.
- Select Add Origin to add both the origin URL and the redirect URL.
