Okay.
Are you running the extension in the popup or inside DOM of any other website?
My extension runs in the DOM of a page (like mail.google.com) and the request to Auth0 is actually going from the mail.google.com origin. This is giving origin error as i cannot whitelist all these origins in Auth0 application.
It is working if i call the token from background script of extension, then the request always goes from origin chrome-extension://id which we can whitelist in Auth0. Saving the token in extension storage from background and then fetching it on client.
If the extension is simply inside popup.html, then the auth0 requests are always from background only.