Auth0 Home Blog Docs

An "Access-Control-Allow-Origin" header for the "/authorize" endpoint

cors

#1

Is it possible to make an AJAX call from a JavaScript to the “/authorize” endpoint to login a user? The configuration of application (Allowed Callback URLs , Allowed Origins) works fine if a user goes directly to the “/authorize” endpoint. I decided to try make a call to the “/authorize” via JS code. The problem is that the “/authorize” doesn’t set the “Access-Control-Allow-Origin”. Is it possible to configure an application to send this header? Or is it insecure workflow to authorize a user?


#2

The /authorize endpoint doesn’t support AJAX-requests, as a successful request will result in a redirect back to the application, not a regular response. It sounds like you’re trying to implement a concept called Silent Authentication.

If I understand correctly, you’re trying to do that for a Single Page Application. For that, auth0.js has a special function: checkSession. That will open an iframe to perform the silent authentication.

Another way to do it, as described in the first article I linked to, is by redirecting the user to /authorize and adding the URL parameter prompt=none to the request. If a rule prevents login or if the user has MFA enabled, you’ll still need to perform a regular redirect to /authorize, without the prompt=none parameter.

I don’t know how familiar you are with Auth0, but a good place to look for more code examples are the QuickStarts.


#3

Thanks for the reply. I know about the Silent Authentication, about the checkSession() method. My case is:

  • we have multiple applications (websites)
  • if a user has been logged in on the Site A - he should be logged in on the Site B during a first page loading
  • on the Site B there’s a JS script that checks a session via checkSession()
  • if a session exists - a user is redirected to the "/authorize" endpoint with a promt=none
  • the problem is that this implementation takes ~10 seconds - so, I’m looking for a way to log in a user in some kind of a background

#4

I’m a bit confused here. checkSession() should already do what you describe: open an iFrame in the background and perform silent auth, without your user really noticing.

However, are you using Safari by any chance? The tracking prevention in that browser completely blocks auth in the background, so there’d be no other way to login the user than to use the flow you described.