http://locahost:3001 has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
I have added http://locahost:3001 to BOTH the Allowed Web Origins and Allowed Origins fields in my application settings. Please help!
Apologies for the delay @dave6 - Thank you for sending over the names of your tenants. Looking at your tenants, I see that the application you are using is a SPA - Are you also using our SPA SDK?
In order for me to further troubleshoot, can you also please DM me a HAR file? Details on capturing a .har can be found here:
Yes I am using the SPA SDK - I am using React with the @auth0/auth0-react package.
I am calling getTokenSilently with the SDK, and passing the token to the api/v2/users/user_id endpoint to try to update the user. I will DM you a HAR file now
Thanks for sharing the HAR file, @dave6 - It looks like this isn’t a CORS failure–the OPTIONS method is not supported on the /authorize endpoint as it is expected the browser will request the page directly and not via an xhr request.
Some alternatives here would be:
A redirect flow to /authorize with prompt=none
getTokenSilently() method if using the auth0-spa-js SDK
a refresh token flow (this can do an xhr request to /oauth/token)
Both of these will use the auth0 session cookie to request a new token in the background. Depending on your architecture this can cause unexpected behavior with Safari Intelligent Tracking Prevention and Chrome incognito mode. In that case refresh token rotation can sidestep those issues.