Auth0 Home Blog Docs

CORS issue in Auth0

cors
access-control-allow

#1

I need to get users by calling the Auth0 API, but it doesnt work though,

Here is my code

getAllUsers () {
                const url = 'https://ian.auth0.com/api/v2/users'
                const fucks = `Bearer ${getAccessToken()}`
                console.log(fucks, 'fucks is fucks')
                const headers = {
                    headers: {
                        'Authorization': `Bearer ${getAccessToken()}`,
                       // 'Access-Control-Allow-Origin': '*',
                        //'Content-Type': 'application/json'
                    }
                }
                this.axios.get(url, {
                    withCredentials: true,
                    params: {
                        q: 'email.raw:"ian@yahoo.com"',
                        search_engine: 'v2'
                    },
                    //crossdomain: true,
                    headers
                })
                .then((response) => {
                    console.log(response, 'is response')
                })
                .catch((err) => {
                    console.log(err.toString(), 'err to string')
                })
            }

Already added
http://localhost:8081
In CORS section in my Auth0 settings

The access tokens is correct. Any other Ideas for this? Already tried Chrome Extention for temporary fix, but still doesnt work. Any Idea?
Here is the error

Response to preflight request doesn't pass access control check: No 'Access-Control-

#2

As a disclaimer, the following won’t technically address the issue in question, however, I do think there is something else that we should focus instead. The endpoint listed is part of the Auth0 Management API and is only meant to be called by client applications that are considered as confidential clients per OAuth 2.0 rules.

In particular, the access token required to call that endpoint requires a client credentials grant to be performed which is unavailable for a browser-based client application because the client credentials could not be securely maintained. With this in mind, the CORS issue you’re currently facing would be mostly a non-issue as the requirement for having a confidential client application would also take any CORS limitation out of the equation. You may want to update your question with additional context on why you need to call the management API from a client application that has CORS limitation as to my knowledge that would only be that case of non-confidential client application.


#3