CORS issue on silent authentication

darthf1 · September 4, 2019, 9:28pm

Hi There,

I’m using Vue with the Nuxt framework and the corresponding Auth module with the Auth0 provider. I’m not using any of the auth0 JS (SPA) libraries, but if i need any to fix the issue i will happily use one. Auth0 is configured as SPA and I’m using the Universal Login on a Auth0 domain (so not a custom / my own domain). Locally, the domain I’m using is https:// localhost.

I’m trying to implement silent authentication. A GET request is made to the /auth URL:

  const url = new URL(<domain>auth0.com/authorize)
  url.searchParams.append('client_id', <my_client_id>)
  url.searchParams.append('redirect_uri', <my_callback_uri>)
  url.searchParams.append('response_type', 'token')
  url.searchParams.append('prompt', 'none')
  url.searchParams.append('response_mode', 'web_message')
  $axios
    .get(url)
    .then(res => console.error('res', res))
    .catch(err => console.error('err', err))

In the Auth0 log, I see a Successful silent authentication. Unfortunately, I cannot fetch the result as my browser gives me the all known CORS error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://<domain>.auth0.com/authorize?client_id=<client_id>&redirect_uri=<callback_uri>&response_type=token&prompt=none&response_mode=web_message. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)

In my Auth0 App settings, I’ve added https:// localhost to my Allowed Web Origins and Allowed Origins (CORS)

I’ve read the page on CORS authentication, which advises me to use the Universal Login. If I’m correct, this is not applicable if for silent authentication?

How should i tackle this? Do i need a cross origin verification page? Will that work for local domains as well? Or do I need to make use of a specific function from an Auth0 JS library to tackle this?

Regards.

dan.woda · September 5, 2019, 10:00pm

Hi @darthf1

Welcome to the Auth0 Community Forum!

I think this may be a browser issue. Check out this thread:

Let me know if that is not it.

Thanks,
Dan

darthf1 · September 6, 2019, 11:37am

Hi @dan.woda, thanks for your reply. Unfortunately it’s not the described issue; if i change my domain from https://localhost to something else, i get the same result.

Btw I’m mainly using Firefox, but error is also on other browsers.

dan.woda · September 6, 2019, 4:03pm

Another user has reported this same issue when using some of our older Auth0.js and Lock libraries. It was fixed by upgrading to the current versions. Since it sounds like you are not using either, switching to a library could solve it.

If you want to try this without a full migration, then you could try one of the quickstarts (takes 5-10 mins to setup) to confirm it is not related to your domain or browser.

dynosapp · September 7, 2019, 1:06am

Hey, @dan.woda, it seems that CORS error is actually coming from a HTTP request and not using any Auth0.js or Lock libraries. How can it be fixed by upgrading to the current version? Which library do we need to make a HTTP request?
I am getting the same CORS error and struggling to get rid of it.

dynosapp · September 11, 2019, 1:06pm

I added mode: 'no-cors', and was able to get rid of the cors error I was getting.

konrad.sopala · September 11, 2019, 1:10pm

Hey there @dynosapp!

Dan is out of office but stoked to hear that you figured it out!

dan.woda · September 26, 2019, 1:10pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.