Auth0 /authorize causes “No 'Access-Control-Allow-Origin' header” if servlet called via JS fetch

I use Auth0 API. The whole application is on a single Tomcat server, HTTPS connector. If the WebFilter checking for authentication finds the auth tokens, it does not call LoginServlet but normally continues to the destination servlet.

There are two cases when /authorize on Auth0’s server is called:

  1. A link to some servlet S in a static web page, intercepted by a WebFilter. WebFilter then calls (if no auth tokens found) LoginServlet which successfully authenticates using Auth0, never a problem here.

  2. JS’ fetch() to a servlet X, intercepted by the same WebFilter as above. WebFilter then calls (again, if no auth tokens found) exactly the same LoginServlet which calls exactly the same /authorize URL. This time it always fails with “No ‘Access-Control-Allow-Origin’ header”.

Yet, if WebFilter finds the auth tokens and forwards normally to the servlet X, this one in turn has no problems calling Auth0 /userinfo.

The server’s domain is in both Allowed Web Origins and Allowed Origins (CORS). What might be the source of the problem?

The error message specifies Origin, which is correct, the same in both cases and exists in Auth0 Application seetings (also in CORS).