Silent Authentication: 'does not have a registered origin'

I’m using the Implicit Grant Flow with the hosted Lock and everything is working great except renewing the SSO session after the access token has expired.

“Use Auth0 instead of the IdP to do Single Sign On” is set to on, the SSO session should last 7 days, the access token lasts 30 seconds (testing) and Allowed Callback URLs, and Allowed Web Origins are all set to allow the redirect url.

I’m using checkSession in auth0-js and despite all my attempts I always get: “message”: “The specified redirect_uri ‘https://test.xxxx.no/xxxxx/’ does not have a registered origin.” in the logs with failure. If I use renewAuth I get success silent auth in the log, but the callback function still doesn’t receive the token and the err: “not_authorized”

What am I missing? I am also a bit confused about the difference between renewAuth and checkSession, and what the paramter usePostMessage: true/false actually does.

3 Likes

The checkSession method superseded the renewAuth one as it provides the same functionality with less overhead to the client application.

However, the checkSession method does require that you explicitly set the Allowed Web Origins client settings property with the origins that will be performing the requests. In this particular case, if your client application is deployed in domain test.xxxx.no and as such is using a redirect URL of https://test.xxxx.no/xxxxx/ then you need to add https://test.xxxx.no as an allowed web origin in the Allowed Web Origins client setting.

Based on the error message the most likely explanation would be that there are either not configured allowed web origins or none are applicable to that redirect URL.

5 Likes

Thanks, the issue was that I was trying https://test.xxxx.no/xxxxx/ and https://test.xxxx.no/, but neither of those work - only https://test.xxxx.no without the slash on the end woks.

5 Likes

Yes, that also explains it; thanks for the follow-up. The validation is based on the web origin so the field would expect the scheme, host and port only; the additional slash was treated as a path component and leading to the mismatch.

1 Like