Overview
This article describes why a Cross-Origin Resource Sharing (CORS) error may occur during silent authentication attempts. Specifically, it addresses scenarios where the authentication call is successful when initiated from the application’s root URL but fails when initiated from an API route within the same application.
Applies To
- CORS (Cross-origin resource sharing)
Cause
The /authorize request should be a regular interactive navigation, not performed from JavaScript.
It is possible that an API is redirecting to /authorize and the JavaScript performing the request is following that redirection.
Solution
The Cross-Origin Resource Sharing (CORS) error occurs because the /authorize endpoint is designed for browser-driven, full-page navigations (like user logins) and does not implement the necessary CORS headers to allow requests directly from JavaScript originating from a different domain. JavaScript requests are subject to the Same-Origin Policy, which prevents calls to different origins unless the target server explicitly allows it via CORS.
This error typically manifests in two incorrect implementation scenarios:
- JavaScript code directly attempts to call the
/authorizeendpoint. - JavaScript code calls an API endpoint (e.g., https://myapi.com). Upon detecting a missing or invalid authorization, this API endpoint incorrectly responds with a redirection (HTTP 301/302) to the
/authorizeendpoint instead of an error status. The browser attempts to follow this redirect from the JavaScript context, leading to the CORS error because/authorizedoes not permit the cross-origin request.
To resolve this issue:
- Ensure the API endpoint returns a 401 Unauthorized status code when authorization is missing or invalid for requests originating from JavaScript. Do not configure API endpoints to redirect to the
/authorizeendpoint in response to failed authorization checks on API calls. This allows the client-side JavaScript application to catch the 401 error and initiate a proper, browser-driven authentication flow if necessary. - Could you verify that the client-side JavaScript code does NOT make direct Workspace or XMLHttpRequest calls to the
/authorizeendpoint? Authentication requiring/authorizeshould be triggered through full-page browser navigation.
Example Scenario Causing the Error:
// Incorrect implementation: JavaScript calls an API
const response = await fetch("https://myapiserver.com/api/users");
// If myapiserver.com detects no valid session/token and incorrectly
// responds with a 302 redirect to https://yourtenant.auth0.com/authorize,
// the browser's attempt by the fetch API to follow this redirect
// will be blocked by CORS rules, resulting in an error.
Correct API Behavior: An API endpoint (e.g., https://<your-tenant>/api/v2/users) is called without a valid token should return a 401 Unauthorized status directly.
Correct /authorize Usage : Navigating to a protected web page (e.g., https://manage.auth0.com) in the browser without an active session correctly triggers a full-page redirect to /authorize, handled entirely by the browser, which does not involve CORS restrictions.