Auth0 Home Blog Docs

CORS - Non-interactive client

cors
non-interactive

#1

I’m getting a CORS issue when trying to get Auth0 Management API access token using non-interactive client. I tried adding http://localhost:8100 to Allowed Web Origins & Allowed Origins (CORS). It does not work. I can use a CORS enabler plugin in chrome and solve the issue but yet that gives me another error when I’m trying to meke other API calls. Any solution which I can do in my ionic project or in auth0 ?
Thanks.


#2

You should never use a non-interactive client on behalf of users, so there should be no need to add the origins. If you need to use the management API, you should use your own intermediary API rather than make requests from the user-facing application.

Since you have a mobile application, you should use the authorization code grant with PKCE.

You can configure your intermediary API in Auth0 as specify it as an audience when performing the authorization flow. This will result in the access token containing an aud claim with the identifier of your API, which your API backend will check for when verifying the token. You can then make the necessary requests to the management API using the non-interactive client issued token from the backend based on the request from the user.

I suggest you read through the articles on API authorization to gain a better understanding of how this works.