CORS Error- Despite correct settings in newly created tenant

We created a new tenant for development and are having trouble in debugging the application with Auth0 as its not accepting localhost in cross origin.

We read the support post regarding this and renamed the localhost to exampleproduct.com and this is also not working.

We would appreciate any help from Suth0 technical team to resolve this issue.

Settings of the client:

{
  "tenant": "exampleproduct-dev",
  "global": false,
  "is_token_endpoint_ip_header_trusted": false,
  "name": "*****",
  "is_first_party": true,
  "oidc_conformant": true,
  "sso_disabled": false,
  "cross_origin_auth": true,
  "description": "",
  "logo_uri": "",
  "sso": true,
  "callbacks": 
    "http://exampleproduct.com"
  ],
  "allowed_logout_urls": ],
  "allowed_clients": ],
  "allowed_origins": 
    "http://exampleproduct.com"
  ],
  "client_id": "****",
  "callback_url_template": false,
  "client_secret": "*****",
  "jwt_configuration": {
    "alg": "RS256",
    "lifetime_in_seconds": 36000,
    "secret_encoded": false
  },
  "token_endpoint_auth_method": "none",
  "app_type": "spa",
  "grant_types": 
    "authorization_code",
    "http://auth0.com/oauth/grant-type/password-realm",
    "implicit",
    "password",
    "refresh_token"
  ],
  "web_origins": 
    "http://exampleproduct.com"
  ],
  "custom_login_page_on": true
}

In terms of settings the most important one to focus would the web_origins one which appears configured correctly. I’m aware of at least one issue with an endpoint that due to a bug was not allowing CORS when it should not depending on tenant configuration. You should update your question with the endpoints that are triggering the CORS error so that further troubleshooting can be made.

endpoints: https://kovaitest.auth0.com/oauth/token
Host: kovaitest.auth0.com
Origin: http://exampleproduct.com

@jmangelo

endpoint : https://kovaitest.auth0.com/oauth/token

Host: kovaitest.auth0.com

Origin: http://exampleproduct.com

Also, a tenant was created a month back and that works fine. This is a newly created tenant. And does not work.
Thanks for the reply. Do you need anymore information ?
Your help will be appreciated.

I am also facing same problem. Any tenant created recently is not allowing cross origin. The ones created a while ago (approx one month) is working fine. I just verified this using fiddler, Access-Control-Allow-Origin is not there in the response header. @jmangelo is this an issue you guys are aware of?

Any update on this?
I am having the same problem with new tenants.
/user/ssodata
/dbconnections/signup

I also am having the same problem. I created a new tenant (bzdb) and added “http://localhost:3000” to all the proper spots in the client settings like I do everytime and CORS is failing on all endpoints:

https://bzdb.auth0.com/user/ssodata/
https://bzdb.auth0.com/usernamepassword/login

Thinking that maybe something is just wrong with this tenant, I changed my UI configuration to talk to one of my old tenants and everything works just fine. I checked to ensure that both tenant clients are configured exactly the same.

So then I made a another tenant (bz-tourney-db) and tried again. And again I am getting CORS issues with these urls:

https://bz-tourney-db.auth0.com/usernamepassword/login
https://bz-tourney-db.auth0.com/user/ssodata/

The new tenants are just refusing to include the proper CORS response headers.

@jmangelo is there any update on this issue?

We are also experiencing the same issue. Is there an update?

Same here. Any update on this, is there any workaround ???

We’re having the same problem with newly created tenants. Any solutions?

We have the same issue. Seems our new tenant is having issues, but our old ones are working perfectly fine.

Endpoint:
GET https://{TENANT}.eu.auth0.com/user/ssodata/ → status: 404

Warning in console:
“There was an error fetching the SSO data. This could simply mean that there was a problem with the network. But, if a “Origin” error has been logged before this warning, please add “{URL}” to the “Allowed Origins (CORS)” list in the Auth0 dashboard: {URL}”

Library used:
Lock.js V10.18

We have the same issue. Seems our new tenant is having issues, but our old ones are working perfectly fine.

Endpoint:
GET https://{TENANT}.eu.auth0.com/user/ssodata/ → status: 404

Warning in console:
“There was an error fetching the SSO data. This could simply mean that there was a problem with the network. But, if a “Origin” error has been logged before this warning, please add “{URL}” to the “Allowed Origins (CORS)” list in the Auth0 dashboard: {URL}”

Library used:
Lock.js V10.18

Same here.

Same issue, old tenant works fine, new tenant not working!!!

Please help, we are going into production…

Never had an issue with Auth0 before now…

We are also missing an important deadline because of this, can we at least be acknowledged here with an answer of any kind?

The same issue.
I can’t make POST request to /oauth/token.
I got an issue with cors origin but in the settings of client added allowed web origins.
I noticed the auth0 doesn’t return Access-Control-Allow-Origin header.
Somebody know how is it fixing?

The same issue.
I can’t make POST request to /oauth/token.
I got an issue with cors origin but in the settings of client added allowed web origins.
I noticed the auth0 doesn’t return Access-Control-Allow-Origin header.
Somebody know how is it fixing?

The same issue.
I can’t make POST request to /oauth/token.
I got an issue with cors origin but in the settings of client added allowed web origins.
I noticed the auth0 doesn’t return Access-Control-Allow-Origin header.
Somebody know how is it fixing?

Hi all - I just went through the same issue. I had to create a ticket with Auth0 and ask them to fully enable deprecated tenant features. New tenants (as of late last year I believe) are created with them disabled.

As explained here Deprecations and Migrations

We’re continually improving the security of our service. As part of this, we are deprecating a set of APIs (/usernamepassword/login, /ssodata, tokeninfo, /delegation) used by Lock.js v8, v9, and v10 and and auth0.js, v6, v7, and v8. You should update your applications by April 1, 2018.

Currently, new tenants don’t have the ability to use older versions of Lock in embedded form and they also don’t have access to old legacy grant flows. This is one of the possible causes of the CORS error that you’re noticing.

As explained in the migration document, it’s recommended that you move towards a centralized login experience by using our Hosted Login Page. You can find migration guides to move from Embedded login to Centralized login in this document.

If you decide you need to continue using embedded login, here are the migration guides for Auth0.js 9 and Lock 11.

Please take into consideration that the Hosted Login Page is currently the only way to implement Passwordless authentication on native platforms, as explained here