Hello,
I have a React app using the SPA starter with the Auth0Provider React wrapper. I have bought the starter package where I am using a custom domain, e.g. domain.com.
My application is hosted on blog.domain.com and I have auth0 authenticating via auth.domain.com.
Despite this, when a user signs up for the first time on my application, e.g. via apple ID, I get the following errors:
[Error] Blocked a frame with origin "https://blog.domain.com" from accessing a frame with origin "https://auth.domain.com". Protocols, domains, and ports must match.
r (index-xxxxxxxx.js:...)
And also this error:
[Error] Unhandled Promise Rejection: Error: Unable to open a popup for loginWithPopup - window.open returned `null`
promiseEmptyOnRejected (index-f1fe79f8.js:194:3276)
promiseReactionJob
Now if I were to run this flow on desktop, the popup would open, I can grant access to my open id scopes, etc. and then happily continue onto my application as a signed in user.
However, for mobile users (which is 99.99% of my audience for this application) the popup is blocked on the browsers I have tried (Safari, and Firefox).
This is the code that is executed on page load:
export class AuthUtils {
static async getBearer(authInstance) {
return new Promise((resolve, reject) => {
const fetchAccessToken = async () => {
const auth = {
authorizationParams: {
scope: 'openid profile email',
audience: 'https://xxxxxx.eu.auth0.com/api/v2/'
}
};
if (!authInstance) {
throw new Error('Invalid authentication handler');
}
try {
return await authInstance.getAccessTokenSilently(auth);
} catch (e) {
if (e.error === 'consent_required') {
return await authInstance.getAccessTokenWithPopup(auth);
} else if (e.error === 'login_required') {
return await authInstance.loginWithRedirect();
} else {
throw e;
}
}
};
Promise.resolve(fetchAccessToken()).then((token) => resolve(token));
});
}
}
So when a user loads the page, this method is executed and the returned token is stored in state and assigned as a bearer token to all requests.
My application code loads as follows:
<Auth0Provider
domain="auth.domain.com"
clientId="xxxxx"
authorizationParams={{
redirect_uri: window.location.origin
}}
>
<Provider store={reduxStore}>
<AppWrapper />
</Provider>
</Auth0Provider>
);
I’m not entirely sure where to go from here. All of my settings are configured to allow for callbacks, CORS, etc. on my domains (auth and blog subdomains).
The only thing I was thinking was to perhaps authenticate without popup - is this doable? Or have I done something wrong in the setup of my application?
Thanks!