CORS issues on localhost

I keep getting the following error when trying to update a user’s information using the following tutorial:

http://locahost:3001 has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

I have added http://locahost:3001 to BOTH the Allowed Web Origins and Allowed Origins fields in my application settings. Please help!

Hi @dave6 - Welcome to Auth0 community!

Can you please clarify if you are using our Universal login solution or Embedded lock? Also, do you have a custom domain present in your tenant?


Hi! Thank you for you prompt reply.

I am using Universal Login, and I do not have a custom domain present in my tenant.

I am having the issue for both my development and production environments.

Can you try and update url to https://localhost:3001 instead of http:// - if that doesn’t work can you DM me the name of your tenant?

1 Like

That did not work. DM’ing you now.

Once you figure it out @ruchi please share it here in the topic for the benefit of others!

I have DM’d @ruchi a few days ago and I have gotten nothing back on this issue.

This issue renders Auth0 completely useless. I will have to switch authentication services if I do not get help with this problem. @konrad.sopala

Apologies for the delay @dave6 - Thank you for sending over the names of your tenants. Looking at your tenants, I see that the application you are using is a SPA - Are you also using our SPA SDK?

In order for me to further troubleshoot, can you also please DM me a HAR file? Details on capturing a .har can be found here:

Thanks for following up on that!

Yes I am using the SPA SDK - I am using React with the @auth0/auth0-react package.

I am calling getTokenSilently with the SDK, and passing the token to the api/v2/users/user_id endpoint to try to update the user. I will DM you a HAR file now

Thanks for sharing the HAR file, @dave6 - It looks like this isn’t a CORS failure–the OPTIONS method is not supported on the /authorize endpoint as it is expected the browser will request the page directly and not via an xhr request.

Some alternatives here would be:

  • A redirect flow to /authorize with prompt=none
  • getTokenSilently() method if using the auth0-spa-js SDK
  • a refresh token flow (this can do an xhr request to /oauth/token)

You could look into refresh token rotation:

  1. Refresh Token Rotation
  2. With that setup you could likely extend the useful life of refresh tokens safely.
  3. You could also consider increasing the length of the browser session and use checkSession in auth0.js or getTokenSilently in auth0-spa-js:

Both of these will use the auth0 session cookie to request a new token in the background. Depending on your architecture this can cause unexpected behavior with Safari Intelligent Tracking Prevention and Chrome incognito mode. In that case refresh token rotation can sidestep those issues.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.