Our application is exactly the scenario mentioned here: Authenticate Single-Page Apps With Cookies
What is done?
-
I used the GitHub - auth0/express-openid-connect: An Express.js middleware to protect OpenID Connect web applications. nodejs middleware to provide the /login and /logout APIs as required
-
Certain paths to my application is protected using the above middleware
Observed behavior:
-
User is NOT logged in via the authorization server (my tenant)
-
User tries to access the protected web page which makes call to a protected path
-
JS code on the page tries to call the path to the backend server
-
Backend server detects the user is NOT logged in, and sends 302 redirect to Auth0 authorization endpoint on my tenant viz. /authorize
-
The /authorize endpoint is then redirecting the browser to the /login endpoint
-
The /login API is sending back a HTML with the embedded auth0.js lock script
Is this the expected behaviour of this approach? This means that every separate page that wants this authentication will need to re-render the whole page using the HTML with the embedded auth0.js lock script sent back as response.
At step 6, when I logged in as the user (Auth0 database connection), the login fails with the errors below:
Question:
-
I understand the CORS issue, but if Auth0 server does not include “Access-Control-Allow-Origin” set to “localhost” (as expected when set in the Application’s Allowed Web Origins and CORS settings), then how can we test this against a local dev server? The browser is enforcing CORS policy because Auth0 is not sending back the “Access-Control-Allow-Origin” set to the value (https://localhost) defined in the “Allowed Web Origins/CORS” (localhost for local dev).
-
As per the tutorial here: Authenticate Single-Page Apps With Cookies
- The user is prompted to authenticate themselves using whatever method the authorization server presents
- The authorization server POSTs the tokens to the redirect URI as a URL-encoded form post. The backend is able to retrieve those tokens by parsing the body data.
How can the Authorization Server POST to localhost? How can we test this in local setup?