<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007dC6aLCASOkta Classic EngineSingle Sign-OnAnswered2022-05-05T20:09:47.000Z2022-05-04T19:09:34.000Z2022-05-05T20:09:47.000Z

JordonK.35473 (Customer) asked a question.

May 4, 2022 at 7:09 PM
CORS issues with end user Security Applications (Zscaler)

Posting here to provide information for anyone who may run into this or has, and may have a better solution.

 

Our Okta rollout for our SPA using the hosted Okta signin widget (not custom) ran into a roadblock we could not seem to overcome.

 

The CORS console error:

 

Access to fetch at 'https://<org>.okta.com/.well-known/webfinger?resource=okta::acct::<user_email>&requestContext=/oauth2/v1/authorize/redirect/okta_key=<key>'' (redirected from 'https://<org>.okta.com/.well-known/webfinger?resource=okta::acct::<user_email>&requestContext=/oauth2/v1/authorize/redirect/okta_key=<key>') from origin 'https://<org>.okta.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

 

It seems to boil down to how modern browsers handle redirects and how NULL origin headers are added.

 

We could not find any configuration in the Okta applications or Okta admin settings that would help us get around this.

 

Below is a screenshot of the changes that needed to be made to the custom signin widget in the Okta admin to get around the CORS error when end users had a Zscaler like application redirecting URLs

 

 

/help/servlet/rtaImage?refid=0EM4z000003git9

 

Would be great to get other input on better ways around this issue.

 

 

  • 2 answers
  • 4.23K views

  • JordonK.35473 (Customer)

    Our assumptions are that the unauthenticated FETCH request sent from the base sign-in widget does not send cookies since Okta does not need them, but that means that Zscaler sees that request without the cookies it needs, so it initiates the redirect. That redirect is the root cause of the CORS problem because of how the ORIGIN header is changed in the browser for cross-origin requests.

     

    Is there a better way to override that?

    Expand Post
This question is closed.
Loading
CORS issues with end user Security Applications (Zscaler)