We had a bit of a fire drill this morning when the Legacy Lock API was disabled on our tenant this morning. We use auth0-js v9, custom domains, and an embedded authentication scheme so we thought we were all set to go after the Legacy Lock API was deprecated. It turned out that wasn’t the case.
Here’s what we are seeing:
Ok. We’ve dug into this a bit more. This looks like what is going on:
- auth0-js sends an HTTP OPTIONS request to https://login.parabol.co/co/authenticate. We receive a 200 OK response to this request
- However, the response does not include the Access-Control-Allow-Origin
- Our client won’t POST to https://login.parabol.co/co/authenticate without this header
In the logs we see:
Just for kicks, I flipped the “Legacy Lock API” switch to “on” and then our application started working. The same CORS requests are now successful:
We didn’t see anything in the docs that said that any changes were going to hit the
/co/authenticate endpoint. We thought we were save if we were using
auth0-js v9. Were these changes expected on your side? Is there some other API method we should be using to authenticate using custom domains and embedded login?