Edit Page

Overview

Cross-Origin Resource Sharing (CORS) is a mechanism that allows a web page to make an AJAX call using XMLHttpRequest (XHR) to a domain that is different from the one from where the script was loaded. Such “cross-domain” requests would otherwise be forbidden by web browsers, per the same origin security policy. CORS defines a standardized way in which the browser and the server can interact to determine whether or not to allow the cross-origin request

In Okta, CORS allows JavaScript hosted on your websites to make an XHR to the Okta API with the Okta session cookie. Every website origin must be explicitly permitted via the Okta Admin Dashboard for CORS.

Caution: Only grant access to specific origins (websites) that you control and trust to access the Okta API.

API Support

The Okta API supports CORS on an API by API basis. If you’re building an application that needs CORS, please check that the specific operation supports CORS for your use case. APIs that support CORS are marked with the following icon CORS.

Browser Support

Not all browsers supports CORS. The following table describes which browsers support this feature.

IE8 and IE9 do not support authenticated requests and cannot use the Okta session cookie with CORS.

Granting Cross-Origin Access to Websites

You can enable CORS for websites that need cross-origin requests to the Okta API on the Okta Developer Dashboard. Select API > Trusted Origins to see the screen shown below.

CORS Settings UI

Select Add Origin to specify the base URL of website you want to allow cross-origin requests.

Note: If you do not enable CORS, or disable it at a later date, the list of websites is retained.

Testing

You can test your CORS configuration with the following test tool

  1. Explicitly allowing this website (https://developer.okta.com) on the Okta Developer Dashboard
  2. Sign-in to your Okta organization on another browser tab
  3. Enter your Okta organization in the form below and click Test

If you successfully completed the steps above, you should see your Okta User Profile

https://
Request Examples

The following code samples can be added to your website to test your CORS configuration. Remember to replace the baseUrl with the URL for your Okta organization.

XMLHttpRequest
var baseUrl = 'https://{yourOktaDomain}.com';
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {
    xhr.onerror = function() {
      alert('Invalid URL or Cross-Origin Request Blocked.  You must explicitly add this site (' + window.location.origin + ') to the list of allowed websites in your Okta Admin Dashboard');
    }
    xhr.onload = function() {
        alert(this.responseText);
    };
    xhr.open('GET', baseUrl + '/api/v1/users/me', true);
    xhr.withCredentials = true;
    xhr.send();
} else {
    alert("CORS is not supported for this browser!")
}
jQuery
var baseUrl = 'https://{yourOktaDomain}.com';
$.ajax({
  url: baseUrl + '/api/v1/users/me',
  type: 'GET',
  xhrFields: { withCredentials: true },
  accept: 'application/json'
}).done(function(data) {
    alert(data);
})
.fail(function(xhr, textStatus, error) {
  var title, message;
  switch (xhr.status) {
    case 403 :
      title = xhr.responseJSON.errorSummary;
      message = 'Please login to your Okta organization before running the test';
      break;
    default :
      title = 'Invalid URL or Cross-Origin Request Blocked';
      message = 'You must explicitly add this site (' + window.location.origin + ') to the list of allowed websites in your Okta Admin Dashboard';
      break;
  }
  alert(title + ': ' + message);
});
Response Example

If you did not enable CORS and allow your website cross-origin access, then you should see the following errors in your browser’s developer tool console:

Chrome
XMLHttpRequest cannot load https://{yourOktaDomain}.com/api/v1/users/me. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://your-website.com' is therefore not allowed access.
Safari
XMLHttpRequest cannot load https://{yourOktaDomain}.com/api/v1/users/me. Origin https://{yourOktaDomain}.com is not allowed by Access-Control-Allow-Origin.
Firefox
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://{yourOktaDomain}.com/api/v1/users/me. This can be fixed by moving the resource to the same domain or enabling CORS.
Internet Explorer
SEC7118: XMLHttpRequest for https://{yourOktaDomain}.com/api/v1/users/me required Cross Origin Resource Sharing (CORS).

SEC7120: Origin https://{yourOktaDomain}.com not found in Access-Control-Allow-Origin header.

SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.

Additional Resources