![]() If you set the Access-Control-Allow-Origin header to one or more values that are separated by commas (,): You can configure this parameter based on your business requirements. The header that is returned from the origin server is overwritten by the header that is added to the response. The header that is returned from the origin server and the header that is added to the response are returned to the client. Example:Ĭonfigure the parameters according to the following table and click OK. If you set the CORS parameter to Enable and the value that you want to specify for the Header Value parameter contains a hyphen ( -), you need to escape the hyphen ( -) to %. Wildcard domain name match: If you set the Access-Control-Allow-Origin header to a wildcard domain name, the value of the Origin header is matched against the wildcard domain name. If the value of the Origin header in a user request does not match a value of the Access-Control-Allow-Origin header, the Access-Control-Allow-Origin header is not returned. If the value of the Origin header in a user request matches a value of the Access-Control-Allow-Origin header, the matched value of the Access-Control-Allow-Origin header is returned. Separate multiple values with commas (,). Wildcard pattern match: If you set the Access-Control-Allow-Origin header to an asterisk (*), Access-Control-Allow-Origin:* is returned regardless of whether user requests contain the Origin header or the value that is specified for the Origin header.Įxact match: You can specify one or more values for the Access-Control-Allow-Origin header. In this case, POPs return the configured value of Access-Control-Allow-Origin.Įnable: POPs check the Origin header in user requests and specify a value for the Access-Control-Allow-Origin header based on the following rules: Default value: Disable.ĭisable: POPs do not check the Origin header in user requests. Valid values of CORS: Disable and Enable. Your Okta user profile appears below the form.You can configure the CORS parameter only if you set Operation to Add and Response Header to Access-Control-Allow-Origin. In the same browser in which you have an active session in your Okta organization, enter your Okta subdomain in the following form and click Test.Test your configurationĭo the following to test your CORS configuration: ![]() Note: If you don't enable CORS, or disable it later, the list of websites is retained. You can also enable the Redirect setting, which allows for redirection to this Trusted Origin after a user signs in or out. Make sure that CORS is selected as the Type.In the Origin URL box, specify the base URL of the website that you want to allow cross-origin requests from.Select Add Origin and then enter a name for the organization origin.You can enable CORS for websites that need cross-origin requests to the Okta API. Note: IE8 and IE9 don't support authenticated requests and can't use the Okta session cookie with CORS. ![]() You can review which browsers support CORS on /cors (opens new window) ![]() APIs that support CORS are marked with the following icon CORS. If you're building an application that needs CORS, check that the specific operation supports CORS for your use case. The Okta API supports CORS on an API by API basis. See Scopes and supported endpoints.Ĭaution: You should only grant access to specific origins (websites) that you control and trust to access the Okta API. If you’re using OAuth 2.0 tokens to make calls to Okta APIs, you don't need to add a Trusted Origin because OAuth for Okta APIs don't rely on cookies. See Grant cross-origin access to websites. See OAuth 2.0.Įvery website origin must be explicitly permitted through the Admin Console for CORS. In Okta, CORS allows JavaScript, which is hosted on your website, to make an XHR to the Okta API with a token. CORS defines a standardized (opens new window) way in which the browser and the server can interact to determine whether to allow the cross-origin request. Such cross-domain requests would otherwise be forbidden by web browsers as indicated by the same origin security policy (opens new window). Use XHR to call a domain that is different than the domain where the script was loaded. Grant cross-origin access to the Okta API from your web apps.Ĭross-Origin Resource Sharing (CORS) (opens new window) is a mechanism that allows a web page to make an AJAX call using XMLHttpRequest (XHR) (opens new window).This guide explains Cross-Origin Resource Sharing (CORS), why it’s useful, how it’s relevant to your Okta apps, and how to enable and test it.
0 Comments
Leave a Reply. |