Okta Access Gateway: Application Getting CORS Error After Session Expiration
Last Updated:
Overview
When an Okta Access Gateway (OAG) session expires, applications encounter a Cross-Origin Resource Sharing (CORS) error upon form submission because JavaScript fails to send the API redirect link to the browser. Resolve this issue by increasing the session timeout, using the browser session expiration setting, or applying the Extend AJAX session policy. The observable symptom is a CORS error appearing when a form is submitted following an expired OAG session, which prevents the login flow from initiating.
Applies To
- Okta Access Gateway (OAG)
- Okta Identity Engine (OIE)
- Okta Classic Engine
Cause
This issue occurs because of how JavaScript handles the page refresh. JavaScript performs an API call and receives a redirect link after expiration but is not designed to send the link to the browser. The request then fails with a CORS error. Because the browser does not receive the redirect link, Okta does not initiate the login flow.
Solution
How is the CORS error resolved after an Okta Access Gateway session expires?
Implement one of the following workarounds to adjust the session configuration and resolve the CORS error.
- Increase the session timeout or use the browser session expiration setting for the application.
- Use the Extend AJAX session policy in the OAG application.
