question: disable auth redirect does not return 401.

[alvin664]

I am using the following authorization policy, attempting to get a 401 returned to browser so that client-side js can handle the error. But browser still sees the default 302 returned.

Any idea how to achieve that?

            authorization policy my_policy_401 {
                    set auth url https://xxxxx
                    crypto key verify yyyyy
                    allow roles authp/admin authp/user
                    acl default allow
                    set token sources cookie
                    inject headers with claims
                    disable auth redirect
            }

[alvin664]

After access_token expired and removed, vendor app continued to send AJAX XMLhttprequest and browser in turn sent OPTIONS to OKTA, ended up in CORS error. In debug log:

2025/10/30 00:35:48.930 ERROR http.handlers.authentication auth provider returned error {"provider": "authorizer", "error": "user authorization failed: src_ip=x.x.x.x, src_conn_ip=y.y.y.y, reason: no token found"}

I want to intercept and get 401 instead so as to handle that by js script.
Or if there is a better way to handle that?

Thanks.