CharlieK.32440 (Customer) asked a question.
Background: I am attempting to implement Okta Authentication into an existing application (C*, Web API).
For a starting point, I looked for an example and ran:
https://github.com/okta/samples-aspnet/tree/master/okta-hosted-login/okta-aspnet-mvc-example
Example worked fine. It runs on http://localhost:8080 and I entered into the web.config entered my Okta client id, secret, Redirect URI, etc...
I see an Authorization call to Okta is done once and it is an HTTP GET. All good.
Question *1: Even though it worked, why did I not have to enter http://localhost:8080 into the 'Trusted Origins' section which would I thought would of been needed to hit the Okta Authorization server?
My Problem
My app runs locally on https://localhost.mycompany.dev:44300
My hosts file allows my this to resolve (127.0.0.1 localhost.mycompany.dev)
Taking the Authentication code from what I learned in the example project, it WORKS for a while, and then stops working.
If I run in incognito, it never does and I get the following error. Also, after a while (still nailing down timing) it begins to not run in non-incognito mode.
In failing scenarios, I see the authorization call its an HTTP OPTIONS (what all of sudden triggers this?)
I get the following error when this call is made.
Failed to load https://dev-495115.oktapreview.com/oauth2/default/v1/authorize?client_id=0oaiyft8whiLA1p6K0h7&redirect_uri=https%3a%2f%2flocalhost.mycompany.dev%3a44300%2fauthorization-code%2fcallback&response_mode=form_post&response_type=code+id_token&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties%3dnOUIEgy3XmOXGViF5IT7qrPWDqu1YI8YhDViRrmlNUsL2CvcC-Vr8jUPAaOUv2e_I2qphvt8a6nvuH_z6KyDn8UzAUFeTtnpaWFtjDpZHqWx2gELsE1VW45EO75NUg7e9TqBUJdbiyMCCkAqDvyJDGsGEXZ95YweQHOtD86zUBjsVMygAKQb8wJWJNkg8xjEQvBm4VD0kBS1RpdCb0xH7q5iadiTlNfcgsFuE98so0w8XZJRFV-9f4f8AhyuSsg2Nof7k5hXkI1JnFAnVdVJJRUZx5QFNhYzYGt8p2N9llHHIKzQXM--F-eYCp6CA8PG&nonce=636831601581659817.YmRjNmVmY2ItNWVmZS00MzBiLTg4MWItNWJhMTc5OWI4OWVjZWVkODdjNjAtNDEzNC00ODNiLTlmMDUtMTI1MGEyNDMxMzUy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://localhost.mycompany.dev:44300' is therefore not allowed access.
In the Okta Admin for my Authorization server, in an attempt to fix I added the following trusted origins:
https://localhost.mycompany.dev:44300
http://localhost.mycompany.dev:44300
https://localhost.mycompany.dev
http://localhost.mycompany.dev
Again note, I was running my app for a while. I could see Okta claims, etc... Thank you for taking the time to help!
Charlie
Not a professional with .NET but maybe something like https://support.okta.com/help/s/article/50360933-Cross-Origin-Resource-Sharing or https://enable-cors.org/server_aspnet.html will help you?
Hi Charlie,
Thanks for posting. It sounds like you'll need to have a feature flag enabled in your Org. You'll need to contact support regarding enabling trusted origins in your Org.
Cheers,
Bil
Hi @Charlie,
were you able to resolve this issue ? if i running into same issue even with URL whitelisted under app->trusted origin.
Thanks,
Anuj
Hi Anuj, I solved this by going down a different path ( I was new to all this at the time). I do have a C# Web Api backend and a React.js front end (SPA). Initially based on what I had read, I was working towards an implicit flow and that is when I started with this example. I've since seen the light 🙂 and see that the implicit flow isn't really what I should have been doing nor is it recommended (at least what I can tell). Here is a great article that helped :
https://developer.okta.com/blog/2019/05/01/is-the-oauth-implicit-flow-dead
Hope that helps! And sorry I don't have more info to give on my above question.
This helped me. https://stackoverflow.com/a/52896202/1188197
In your ASP.NET Core ^2.2 application:
1.
In Startup.cs, in the Configure method, BEFORE the app.UseMvc() call, add the following code:
app.UseCors("AllowOrigin");
2.
In Startup.cs, in the ConfigureServices method, BEFORE the service.AddMvc() call, add the following code:
services.AddCors(o => o.AddPolicy("AllowOrigin", builder =>
{
builder.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader();
}));
In my case I'm allowing any origin, but you can instead use a specific origin like this:
services.AddCors(o => o.AddPolicy("AllowOrigin", builder =>
{
builder.WithOrigins("http://localhost:8080")
.AllowAnyMethod()
.AllowAnyHeader();
}));