CORs error with Legacy Lock API disabled even though I am on latest lock

Just got an error this morning after a year of working flawlessly. Chrome tools reports

Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

I know this is related to the legacy lock API migration. I followed the guide and it said all I needed to do was upgrade to the latest lock which I did so I am unclear what I have to do now.

I enabled the legacy lock api in my advanced tenant settings. At first I got “an error has occurred” in the lock popup, but it now seems to be working.

My question is what do I have to do so that this doesn’t stop working in August when the grade period expires?


Same here, now I am also a bit confused since we are using auth0-lock 11.7.2 (npm)

:wave: @chameleon @jviitala as mentioned we can temporary change the ‘Legacy Lock API’ toggle in our Advanced Settings. For this issue Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource is indicating that any domain we are doing cross-origin authentication from should be added to the ‘Allowed Web Origins’ field. Can you verify that you’ve added the origins of all the domains where you are initiating the logins from are in the ‘Allowed Web Origins’ fields of the respective Auth0 applications(client)? Once everything is set we can turn off the Legacy Lock API flag and verify that everything’s running smoothly. Please let me know if you still experience this issue after checking.

By turning off the 'Legacy Lock API` flag, this mimics what will happen in August when the grace period expires.

1 Like

It looks like I was missing my domain in the Allowed Web Origins field. I just made the changes and I believe that solved the problem.

One thing that changed was that it now gives me the you last logged in with option. I haven’t seen that in quite a while, since I upgraded lock. Did this change impact that behavior and is there a way to turn that off?

1 Like

I found how to disable the last logged in option. It’s curious that making the change to the Allowed Web Origins impacted that behavior but everything seems to be working

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.