Allow file Web Origin

I am coding an Electron Desktop app with JS and I need to call the login lock from a file.
I have no problem signing in with Social Logins but when I try to log in with Username-Password authentication I get a 403 from /co/authenticate saying file:// origin is not allowed.

Any solution?

You should try adding file://* in the Allowed Origins (CORS) for your client in the dashboard:

This should enable you to bypass the “Origin is not allowed” error when calling lock from a file://…

I already added file://* in CORS but I still get a 403 (for /co/authenticate) when trying to log in from Username-Password lock…

I already added file://* in CORS but I still get a 403 (for /co/authenticate) when trying to log in from Username-Password lock…

I am having the same issue. Is there a solution to this?

I am also having trouble getting beyond the issue described above. Social logins work fine in my electron app, but username-password-authentication fails with a 403 and “Origin file:// is not allowed.

I already have file://* in my list of allowed origins. My lock options are

  auth: {
    redirect: false,
    sso: false

Has anyone been able to get around this problem? Any help would be appreciated.

As a (hopefully temporary) workaround, I enabled password grants in the API and am overriding the popup functionality for username/password submission by making a manual request to the API to retrieve an access token. It’s not pretty, but it works. The code below was written against auth0-lock version 11.7.2.

Social logins are still handled by the lock since I’m not having any issue there.

const clientId = '....';
const domain = '....';

const lock = new Lock(clientId, domain, {
  auth: {
    sso: false,
    redirect: false

 * Handle successful authentications
 * @param {object} authResult
 * @param {string} authResult.accessToken
 * @param {string} authResult.tokenType
 * @param {number} authResult.expiresIn
function onAuthenticated(authResult) {
  // code

 * Use Auth0 API for username/password authentication.
 * @param {Event} e
function logMeIn(e) {

  const widget = document.querySelector('.auth0-lock-widget');

  const username = widget.querySelector('input[name=email]').value;
  const password = widget.querySelector('input[name=password]').value;

  fetch(urljoin('https://', domain, 'oauth/token'), {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json'
    body: JSON.stringify({
      grant_type: 'password',
      client_id: clientId,
    .then(res => res.json())
    .then(data => {
      if (data.error) {
        throw new Error(data.error_description);

      // normalizing authResult object to camel case property names.
      //   * auth0-lock returns camelCased response body
      //   * auth0 api return snake_cased response body
      return {
        accessToken: data.access_token,
        expiresIn: data.expires_in,
        tokenType: data.token_type
    .catch(err => alert(err.message));

// handle social logins
lock.on('authenticated', onAuthenticated);

// intercept username/password submission attempt
lock.on('show', () => {
    .addEventListener('click', logMeIn);

lock.on('hide', () => {
    .removeEventListener('click', logMeIn);

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.