I need a little bit more information to diagnose why you are having this issue.
First, where are you using lock?
- If it is from your application (embedded at your website domain), then you are likely using an old version of lock. You need to update to the latest version of lock so that your application is using /co/authenticate instead of /usernamepassword/login.
Also, I would highly recommend using a redirect flow instead of trying to embed lock into your application directly. This will give you a much better experience and also adhere more to the OIDC standard.
To do this, you would use auth0.js to call authorize from your application when someone wants to log in. And then you can configure your login page in the “hosted pages” section of the manage dashboard to look however you want, including the use of lock if you desire. This will make your networking much simpler. If you embed lock in your application, you will need to use CNAMEs, or your risk customers with third party cookies disabled to not be able to access your site.
I highly recommend using one of the quickstarts. You can get to a quickstart in nearly any language you are attempting to use. They should be redirecting to the login page at your auth0 tenant and you can use that example for configuring your system.
- If you are already using the login page at Auth0 and redirecting to /authorize, then please share your login page code as that would be helpful in figuring out what is wrong.