The silent authentication call succeeds from the root URL of our app but keeps failing when called from an API route.
What’s a cross-origin request?
When a page from one origin (e.g.
https://myapp.com) makes a request to another origin (e.g.
What is CORS (Cross-origin resource sharing)?
CORS is a technique/protocol that allows a server to indicate what cross-origin requests are allowed.
So if your SPA at
https://yourtenant.auth0.com/oauth/token, that endpoint needs to be OK with cross-origin requests. It does so by implementing CORS (returning the right headers that say “I can receive requests from the
Now, all requests to
The fact that you get a CORS error from the
/authorize endpoint means that:
/authorizeendpoint which is a wrong implementation of it.
- You tried to make a request to another endpoint (e.g.
https://myapi.com) and that endpoint REDIRECTED to
Only interactive flows (e.g. a web page that returns HTML, one that a user visits) should redirect to
/authorize. An API HTTP service is meant to be used by other code, not by users directly, so it should not return redirections to
/authorize if the authorization fails. It should return
For example, try making a request to
https://yourtenant.auth0.com/api/v2/users without a token: it will return
401, but it won’t redirect you to
Try making a request to
https://manage.auth0.com from an incognito window and it will redirect you to
https://auth0.auth0.com/authorize because it’s a web page, and wants you to be authenticated.
If I do:
const response = await request("https://mydomain.auth0.com/authorize[...]")
If I type
https://mydomain.auth0.com/authorize[....] in the address bar. That’s a full-page navigation. No CORS. That’s how
/authorize is supposed to be used.
If I type
https://myapp.com and it redirects to
/authorize, that’s still a full-page navigation. No CORS.
If I do:
const response = await request("https://myapiserver.com/api/users");
and the API server returns a 301 redirect to
/authorize, that’s a wrong API design, and if
request() follows that redirection, then that will be a cross-origin
/authorize request, which is a wrong implementation.