/authorize endpoint returns CORS error in Node.JS Application

I have a node.js express application with the following /token endpoint that can redirect to auth0 authorize endpoint

router.post('/token', limiter, oauth2Validations.validateCreateToken, (req, res) => {
  const authInfo = _.clone(req.body)

  const ip = req.ip
  authInfo.ip = ip.split(',')[0]
  if (!req.oidc.isAuthenticated()) {
    return res.oidc.login({
      authorizationParams: {
        connection: 'Username-Password-Authentication',

    .then((payload) => {
    .catch((err) => {
      processError(res, err)

When i call this endpoint and redirects to auth0, i always receive a CORS error:

I am running the api in localhost:3000 and frontend in localhost:3001, and already set both in Allowed Origins (CORS)


If i just get the /authorize url and copy and paste into a tab in the browser, it works

Somebody can belp?

Hi. Thanks for reaching out to community.

This does not look like a normal CORS issue. Browsers create a preflight request if it is needed. It’s an OPTIONS request like below and is sent before the actual request message.

OPTIONS method is not supported on the /authorize endpoint as it is expected that the browser will request the page directly and not via an xhr request.

Some alternatives here would be:

  • A redirect flow to /authorize with prompt=none
  • getTokenSilently() method if using the auth0-spa-js SDK
  • a refresh token flow (this can do an xhr request to /oauth/token)

Let us know if this works.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.