Hello,
I am using passport/auth0 to handle authentication in my express backend. Users are able to login/logout etc. If the user refreshes the page after their session expiration they are redirected to the auth0 login screen correctly.
Our issue is when a user loses their session and tries to use the app (front end makes calls to the back end via axios) we have authentication middleware setup on those routes and external proxies. The middleware correctly sees the user has no session and points them to login:
async function checkLoggedIn (req, res, next) { console.log('checking'); try { if (req.session.authorization) { next(); } else { res.redirect('/login'); } } catch (err) { res.redirect('/error'); } }
But on the redirect to login which looks like this:
router.get(
'/',
passport.authenticate('auth0', {
clientID: process.env.AUTH0_CLIENT_ID,
domain: process.env.AUTH0_DOMAIN,
redirectUri: process.env.AUTH0_CALLBACK,
audience: process.env.AUTH0_AUDIENCE,
responseType: 'code',
scope: 'openid'
}),
(req, res) => {
res.redirect('/');
}
);
A CORS error is thrown in the browser:
Failed to load https://sso.website.auth0.com/authorize?audience=https%3A%2F%2...........':
Redirect from 'https://sso.website.auth0.com/authorize?audience=https%3A%2F%.........' to 'https://sso.website.auth0.com/login?state=KvO.........'
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'https://qa.website.website.com' is therefore not allowed access.
This happens both when running locally on localhost and when the app is deployed to its url.
We’ve tried adding all the usual CORS stuff in express and adding localhost urls and deployment urls in the Web Origins/CORS setting in auth0 with no success.
Thanks