Auth0 Home Blog Docs

CORS issue on /oauth/token request

cors
token-endpoint

#1

I first send a non-logged in user to the Hosted Login page through auth0 which redirects them to http://mysite.com?code=123auth_123code. If a user is logged in, then I gather the authorization code and do the same redirect.

Once in my site, I attempt to gather the access token using the authorization code by asking https://mydomain.auth0.com/oauth/token. I then get the error “Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://mysite.com’ is therefore not allowed access.” I have added http://mysite.com to the client’s allowed callback URLs, allowed web origins, and allowed origins lists. The goal is to complete a implicit grant flow as described here https://auth0.com/docs/api-auth/tutorials/implicit-grant

I do not know what I am doing wrong. Is this because I am requesting the access code from an http domain instead of an https domain? Why is auth0 rejecting this cross domain call.


#2

Try upgrading to the latest version of whatever SDK you are using. That worked for me with the Lock widget.


#3

Since this is still in development, I was able to do this https://stackoverflow.com/questions/3102819/disable-same-origin-policy-in-chrome for testing and everything works as expected. I get my access_token. It seems the only problem is that the response from the /oauth/token endpoint does not contain the proper access-origin-allow header. Is there a setting somewhere in the auth0 dashboard that I missed? Does my audience name parameter in the /oauth/token request need to match the DNS name of the web app?


#4

Thanks for the advice. We made the change upgraded to the latest SDK but get the same error.