I’m building a small app with auth0 as a trial experience. Everything worked out pretty well when I developed locally, but now I deployed it to the web and got unexpected issues.
The error happens when I access /oauth/token:
Access to fetch at 'https://MYORG.auth0.com/oauth/token' from origin 'https://MYDOMAIN.COM' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.
Here’s how the request looks (converted to curl):
curl 'MYORG.auth0.com/oauth/token' -H 'Referer: MYDOMAIN.COM/?code=CODE&state=STATE%3D%3D' -H 'Sec-Fetch-Dest: empty' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36' -H 'Content-type: application/json' --data-binary '{"grant_type":"authorization_code","redirect_uri":"MYDOMAIN.COM","audience":"AUD","client_id":"CID","code_verifier":"WHATEVER","code":"WHATEVER"}' --compressed
Sent via curl it returns me a valid cookie, sent via the browser it results in the aforementioned error. Given it’s a POST request that sets a cookie and reading through MDN, it looks to me that the Auth0 SDK (I’m using https://cdn.auth0.com/js/auth0-spa-js/1.2/auth0-spa-js.production.js) is supposed to send the request with XMLHttpRequest.withCredentials, but more importantly, the server must reply with a Access-Control-Allow-Credentials header (which it doesn’t, based on curl).
Any ideas?