CORS Policy Issue with Auth0 Integration on WordPress Site

Get Help
,
1

Hello Auth0 Support Team,

We are currently using the Auth0 WordPress plugin on our site (exchange.1e.com) to allow a limited set of customers to log in using their Azure AD credentials. However, we are encountering a CORS policy error:
Access to XMLHttpRequest at ‘ttps://oneeonline.auth0.com/usernamepassword/challenge’ from origin ‘ttps://exchange.1e.com’ has been blocked by CORS policy.

In the Auth0 Dashboard, we have already configured both Allowed Web Origins and Allowed Origins (CORS) to include: https://exchange.1e.com

Within the WordPress Auth0 plugin settings:
Features tab:
Universal Login Page → Enabled
Override WordPress Avatars → Enabled
Advanced tab:
Force HTTPS Callback → Enabled
Embedded tab: No options enabled

Additionally, we have successfully configured a custom domain (login.exchange.1e.com) following the official documentation, and completed all related setup in both the Auth0 dashboard and our Exchange admin portal.

Despite this, the CORS issue persists. Initially, the error referenced:oneeonline.auth0.com. Whereas, after configuring the custom domain, it now references:login.exchange.1e.com. This suggests the issue remains unresolved despite the domain change.

Could you please help us identify what might be missing or misconfigured?

Thank you for your support.

Best regards,
Biswa

3

Hi @biswa.das

Welcome to the Auth0 Community!

Are you using an embedded Lock widget to perform the authentication using Azure AD by any chance? If so, since the embedded widget tried to make a call to the Auth0 domain, the browser blocks it due to Cross-Origin Authentication.

I would suggest to try the one of the following options:

  • If you are not redirecting the user but the login trigger is a custom page or embedded widget, enforce true universal login by having a simple link which is used to initialize the login to point to your WordPress login route (should be https://exchange.1e.com/wp-login.php) which will trigger the full-page redirect to your custom domain.
  • Enable Cross-Origin Authentication for your application. You can do this by going to Applications → Application → Your_App → Settings → Cross-Origin Authentication → Enable the toggle → Add the Allowed Origins.

Let me if this does the trick for you!

Kind Regards,
Nik

4

Hi again!

Since you have not replied back regarding the matter, I will be marking my previous reply as the solution.

Feel free to jump back with any additional information or post again referencing this topic!

Kind Regards,
Nik