We have the same issue with the latest version of the auth0-cordova library. It is requesting “https://.auth0.com/oauth/token” via “http://localhost:8080” (this is what the Cordova webview is serving the code through, there is no way to change it). The “http://localhost:8080” origin is set in “Allowed Web Origins” and “Allowed Origins (CORS)” but the “Access-Control-Allow-Origin” response header is not present, even though the “-Methods” and “-Headers” are and the HTTP status is 200. That is on the preflight request (OPTIONS).
As far as I understand, this is not related to any of the deprecated API endpoints. Furthermore, this is part of the official way to integrate Auth0 into Cordova apps that is not currently working.
Can you please advise us what to do? This is a big problem and is preventing us from using Auth0. Even if you can’t provide a solution right away, can you please let us know if the problem is acknowledged and being looked into so we can plan our next steps. Thanks!
@ets Initially looking at it it doesn’t seem to be related to the deprecation that we are doing (but I haven’t verified this entirely). A couple of questions:
When you say “https://.auth0.com/oauth/token”, is it requesting your account as in “https://YOUR_DOMAIN.auth0.com/oauth/token”?
Yes, I put <tenant> in there as a marker but the forum system seems to have removed that instead of escaping.
I’m not directly using the example but I went over everything in there twice and the relevant code is the same, specifically the “wkwebview” one. I am checking the request made using the Safari Developer tools attached to the application after the redirect back to the app.
I only have one that is about a month old and using it does reproduce the problem.
The same error on /oauth/token: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource
Good god, Auth0, how hard is it to return a 500 error with a description of the breaking change instead of an empty 404 that says nothing? at least for a few months post deprecation? =/
I did have the same issue but on returning to this now, after creating a new tenant I am no longer seeing this happening. I don’t know what has changed but the CORS pre-flight check is successful and so is a subsequent POST request to /oauth/token
Is anyone else now seeing this resolved with a new tenant? I’m still unclear as it whether it’s a bug that has been fixed or it is related to a migration of tenant features in some way.
At the time I wrote that, the situation I was aware of was related to /delegation endpoint and depending on how the tenant was configured. Having said that, I’m now also aware of changes to CORS policies in the token endpoint so I believe these would explain the behavior you now receive.
@mirko have you added your domain to the lost of Allowed Web Origins section in the application? Was this working previously and you just started getting this issue with change password?
Hi Kim, yes I added domain to Allowed Web Origins list. Without it preflight OPTIONS request fails as well. With it OPTIONS request goes through but POST request fails.
I’m getting this error with new tenant that I setup. It is working with existing tenants that we setup moths ago (perhaps more than a year ago).
@mirko I apologize for the delay. Would it be possible for you to capture a HAR file and send it over to me so I can take a look at what’s happening? Please make sure to remove any sensitive information, please feel free to DM me if you prefer!
I think I might be seeing similar behaviour on a new Tenant which was provisioned this year. The same configuration works correctly on a tenant which has a lot of legacy stuff still enabled and was provisioned a couple of years ago.
The Access-Control-Allow-Origin header is never returned almost as if the dashboard settings are not being applied correctly somewhere in the Auth0 stack. I can see CORS errors being logged in the dashboard logs section but they are for host names that should be covered by the CORS rules defined in my application.