CORS Error- Despite correct settings in newly created tenant

@anny First, thank you for the response!

We have the same issue with the latest version of the auth0-cordova library. It is requesting “https://.auth0.com/oauth/token” via “http://localhost:8080” (this is what the Cordova webview is serving the code through, there is no way to change it). The “http://localhost:8080” origin is set in “Allowed Web Origins” and “Allowed Origins (CORS)” but the “Access-Control-Allow-Origin” response header is not present, even though the “-Methods” and “-Headers” are and the HTTP status is 200. That is on the preflight request (OPTIONS).

As far as I understand, this is not related to any of the deprecated API endpoints. Furthermore, this is part of the official way to integrate Auth0 into Cordova apps that is not currently working.

Can you please advise us what to do? This is a big problem and is preventing us from using Auth0. Even if you can’t provide a solution right away, can you please let us know if the problem is acknowledged and being looked into so we can plan our next steps. Thanks!

@ets Initially looking at it it doesn’t seem to be related to the deprecation that we are doing (but I haven’t verified this entirely). A couple of questions:

• When you say “https://.auth0.com/oauth/token”, is it requesting your account as in “https://YOUR_DOMAIN.auth0.com/oauth/token”?
• Are you using one of the examples listed here? auth0-cordova/example at master · auth0/auth0-cordova · GitHub
• Do you happen to have an old tenant that you can test this with? (to verify that it’s not related to one of the deprecation flags)

@anny

• Yes, I put <tenant> in there as a marker but the forum system seems to have removed that instead of escaping.

• I’m not directly using the example but I went over everything in there twice and the relevant code is the same, specifically the “wkwebview” one. I am checking the request made using the Safari Developer tools attached to the application after the redirect back to the app.

• I only have one that is about a month old and using it does reproduce the problem.

Thanks for looking into this.

The same error on /oauth/token: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource

Hi, I am having the same issue: old tenants works, new ones - don’t.
All of the settings are exactly the same. What’s happening?

Same error as @ets. Any solution?

hi @ets, did you sort out this problem? thanks!

No, we decided to use the password grant (Resource Owner Password Flow) directly from our server and register users via the Management API.

Good god, Auth0, how hard is it to return a 500 error with a description of the breaking change instead of an empty 404 that says nothing? at least for a few months post deprecation? =/

I did have the same issue but on returning to this now, after creating a new tenant I am no longer seeing this happening. I don’t know what has changed but the CORS pre-flight check is successful and so is a subsequent POST request to /oauth/token

Is anyone else now seeing this resolved with a new tenant? I’m still unclear as it whether it’s a bug that has been fixed or it is related to a migration of tenant features in some way.

@jmangelo you mentioned

I’m aware of at least one issue with an endpoint that due to a bug was not allowing CORS when it should not depending on tenant configuration

Is this the issue which has been fixed?

At the time I wrote that, the situation I was aware of was related to /delegation endpoint and depending on how the tenant was configured. Having said that, I’m now also aware of changes to CORS policies in the token endpoint so I believe these would explain the behavior you now receive.

Can you explain these changes please. I’m still no clearer as to what’s happening with this endpoint

The change I was aware was about /oauth/token not previously taking Allowed Origins (CORS) in consideration for CORS and now it does.

We are also getting the same error “Failed to load resource: the server responded with a status of 404 ()”

We created a new tenant just to be sure but still received the same error

I’m also with this cors issue, on endpoint /passwordless/verify

Having similar issue with /dbconnections/change_password call

We’re using latest version of Auth.js (9.5.1)

Preflight OPTIONS request goes through but then POST request fails with error 404.

Auth0 Logs show “Failed by CORS” as well as “Failed Change Password unknown error”

Any ideas what might be issue here?

@leobarcellos if you’re calling passwordlessVerify we should instead be calling passwordlessLogin

https://auth0.com/docs/libraries/auth0js/v9#verify-passwordless

@mirko have you added your domain to the lost of Allowed Web Origins section in the application? Was this working previously and you just started getting this issue with change password?

Hi Kim, yes I added domain to Allowed Web Origins list. Without it preflight OPTIONS request fails as well. With it OPTIONS request goes through but POST request fails.

I’m getting this error with new tenant that I setup. It is working with existing tenants that we setup moths ago (perhaps more than a year ago).

@mirko I apologize for the delay. Would it be possible for you to capture a HAR file and send it over to me so I can take a look at what’s happening? Please make sure to remove any sensitive information, please feel free to DM me if you prefer!

I think I might be seeing similar behaviour on a new Tenant which was provisioned this year. The same configuration works correctly on a tenant which has a lot of legacy stuff still enabled and was provisioned a couple of years ago.

The Access-Control-Allow-Origin header is never returned almost as if the dashboard settings are not being applied correctly somewhere in the Auth0 stack. I can see CORS errors being logged in the dashboard logs section but they are for host names that should be covered by the CORS rules defined in my application.