CORS issues on localhost

dave6 · May 21, 2021, 1:21am

I keep getting the following error when trying to update a user’s information using the following tutorial:

https://auth0.com/docs/users/update-root-attributes-for-users

http://locahost:3001 has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

I have added http://locahost:3001 to BOTH the Allowed Web Origins and Allowed Origins fields in my application settings. Please help!

ruchi · May 21, 2021, 10:11pm

Hi @dave6 - Welcome to Auth0 community!

Can you please clarify if you are using our Universal login solution or Embedded lock? Also, do you have a custom domain present in your tenant?

dave6 · May 21, 2021, 10:24pm

Hi! Thank you for you prompt reply.

I am using Universal Login, and I do not have a custom domain present in my tenant.

I am having the issue for both my development and production environments.

ruchi · May 23, 2021, 5:34pm

Can you try and update url to https://localhost:3001 instead of http:// - if that doesn’t work can you DM me the name of your tenant?

dave6 · May 23, 2021, 11:37pm

That did not work. DM’ing you now.

konrad.sopala · May 24, 2021, 10:26am

Once you figure it out @ruchi please share it here in the topic for the benefit of others!

dave6 · May 26, 2021, 12:00am

I have DM’d @ruchi a few days ago and I have gotten nothing back on this issue.

This issue renders Auth0 completely useless. I will have to switch authentication services if I do not get help with this problem. @konrad.sopala

ruchi · May 26, 2021, 4:00am

Apologies for the delay @dave6 - Thank you for sending over the names of your tenants. Looking at your tenants, I see that the application you are using is a SPA - Are you also using our SPA SDK?

In order for me to further troubleshoot, can you also please DM me a HAR file? Details on capturing a .har can be found here:

konrad.sopala · May 26, 2021, 11:41am

Thanks for following up on that!

dave6 · May 27, 2021, 1:27am

Yes I am using the SPA SDK - I am using React with the @auth0/auth0-react package.

I am calling getTokenSilently with the SDK, and passing the token to the api/v2/users/user_id endpoint to try to update the user. I will DM you a HAR file now

ruchi · May 28, 2021, 6:30pm

Thanks for sharing the HAR file, @dave6 - It looks like this isn’t a CORS failure–the OPTIONS method is not supported on the /authorize endpoint as it is expected the browser will request the page directly and not via an xhr request.

Some alternatives here would be:

A redirect flow to /authorize with prompt=none
getTokenSilently() method if using the auth0-spa-js SDK
a refresh token flow (this can do an xhr request to /oauth/token)

You could look into refresh token rotation:

Refresh Token Rotation
With that setup you could likely extend the useful life of refresh tokens safely.
You could also consider increasing the length of the browser session and use checkSession in auth0.js or getTokenSilently in auth0-spa-js:
- Configure Silent Authentication (auth0.js)
- Auth0 Single Page App SDK (auth0-spa-js)

Both of these will use the auth0 session cookie to request a new token in the background. Depending on your architecture this can cause unexpected behavior with Safari Intelligent Tracking Prevention and Chrome incognito mode. In that case refresh token rotation can sidestep those issues.

system · June 12, 2021, 6:31pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.