Problem statement
We received the below error when calling the /oauth/token endpoint.
Auth0 is not setting the Access-Control-Allow-Origin header on the response
Steps to replicate
- Create an Organization.
- Set allowed callback of an Application that is enabled for that Organization to include a placeholder (e.g. http://{organization_name}.localhost:3000) or wildcard (e.g. http://*.com:3000) on a subdomain.
- Log in through a flow such as Auth Code + PKCE (SPA) and notice a CORS error upon calling the /oauth/token.
Solution
The hostname requires 3 “labels”, so please use http://{organization_name}.localhost.localdomain:3000 instead.