My Auth0 logins on my Node.js/Angular 1.x app started failing unexpectedly this week, with the following error:
“Failed to load resource: the server responded with a status of 403 (Forbidden). There was an error fetching the SSO data. This could simply mean that there was a problem with the network. But, if a “Origin” error has been logged before this warning, please add “http://mxxxx-xxxxx.herokuapp.com” to the “Allowed Web Origins” list in the Auth0 dashboard.”
This was affecting my live server as well as my test environment, in which case the above would be replaced with “http://localhost:5000”. Both of these addresses are in my list of “Allowed Web Origins”.
I saw that some endpoints were removed recently, and that it was recommended that I update my Lock v9 to Lock v11, so I followed the migration guide, and updated it to the latest (11.9.1), as well as migrating to angular-lock (3.0.0). Same error.
While the migration guide used lockProvider.init(), none of the other Lock v11 guides use this anywhere, instead instantiating the Lock object directly using Auth0Lock(ClientID, Domain). I tried this as well, and get the same error.
I got this more specific error randomly after reloading one time:
" Callback URL mismatch.
The URL “http://localhost:5000/access_token=qQALlxxxxxw3&id_token=eyJ0exxxxxxxxxxxxxxxxxxxxxxxxxxw_OdI&scope=openid%20profile%20email&expires_in=86400&token_type=Bearer&state=s6ZMchxxxxxxxqp8L-677x5YH” is not in the list of allowed callback URLs. "
Obviously, the base URL is in the list, could it be checking the entire URL? Seems unlikely?