Error: CORS request rejected when Postman reaches SPS OIDC Provider
search cancel

Error: CORS request rejected when Postman reaches SPS OIDC Provider


Article ID: 254328


Updated On:





When running CA Access Gateway (SPS) as an OIDC provider, when testing using "Postman Web App", the Auth code can be seen, and when this tool tries to get the Access Token with Token Endpoint, the application reports an error:

    Request Body
    grant_type: "authorization_code"
    code: "OGU2NmM0MzktOTA*****************************************************ZnZQWT0="
    redirect_uri: ""
    client_id: "mobileAPP_AP"
    Error: CORS request rejected:




  CA Access Gateway (SPS) 12.8SP6 on Windows 2016;




The SPS traces show:

    Resolving service to handle OIDC CORS Preflight Request, for URI: /affwebservices/CASSO/oidc/Client/token]

From the documentation, the CORSConfiguration ACO parameter should be configured (1). The browser (when accessing Postman) requests CORS parameters (2).



Configure the ACO CORSConfiguration in order to SPS to return the headers that Postman app needs.

Additional Information



    Cross-Origin Resource Sharing (CORS) Support for OIDC Endpoints

      If CORS is enabled for Authentication URL, SiteMinder verifies
      whether the Origin header is allowed per the CORSConfiguration ACO
      parameter configuration. If the Origin header is not allowed, CORS
      process flow ends. If the Origin header is allowed, SiteMinder
      validates the other configured ACO parameters, and then
      authenticates the user, adds CORS response to the authentication
      response, and redirects to Authorization Endpoint.