CORS pre-flight fails for new tenant / universal login

I am seeing this error in the browser running my SPA:

Access to XMLHttpRequest at 'https://naboo.auth0.com/authorize?client_id=xxxxxxDNNEQS2NyxHxYxxxxx&redirect_uri=http%3A%2F%2Flocalhost%3A4004%2Fapi%2Fauth%2Fauth0%2Fcallback&response_type=code&scope=openid+profile+email' (redirected from 'http://localhost:4004/api/auth/auth0') from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Here is the pre-flight request that occurs just before the redirect to Auth0 universal login would occur (and immediately before the CORS error occurs):

Request URL: https://naboo.auth0.com/authorize?client_id=xxxxxxxNNEQS2NyxHxxxxx&redirect_uri=http%3A%2F%2Flocalhost%3A4004%2Fapi%2Fauth%2Fauth0%2Fcallback&response_type=code&scope=openid+profile+email
Request Method: OPTIONS
Remote Address: 34.213.13.63:443
Status Code: 200
Version: HTTP/2
Referrer Policy: no-referrer-when-downgrade

Request Headers:
Host: naboo.auth0.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
Referer: http://localhost:3000/
Origin: http://localhost:3000
Connection: keep-alive
TE: Trailers

Response Headers:
HTTP/2 200 OK
date: Mon, 29 Jun 2020 01:07:19 GMT
content-type: text/plain; charset=utf-8
content-length: 2
server: nginx
ot-tracer-spanid: 1c4f351a49f69bc4
ot-tracer-traceid: 1ce0269e4e251871
ot-tracer-sampled: true
ot-baggage-auth0-request-id: 12b402f6410c035935b8b33e
x-auth0-requestid: db04ae8908a55c2a63b5
set-cookie: did=s%3Av0%3Ae148ef50-b9a4-11ea-8eff-17e93d3f3ab5.x30FKNZU%2Fndsi0I%2FTWeZsyVbZnvsqHzf3QxLCJzEWDc; Max-Age=31557600; Path=/; Expires=Tue, 29 Jun 2021 07:07:19 GMT; HttpOnly; Secure; SameSite=None
set-cookie: did_compat=s%3Av0%3Ae148ef50-b9a4-11ea-8eff-17e93d3f3ab5.x30FKNZU%2Fndsi0I%2FTWeZsyVbZnvsqHzf3QxLCJzEWDc; Max-Age=31557600; Path=/; Expires=Tue, 29 Jun 2021 07:07:19 GMT; HttpOnly; Secure
access-control-max-age: 1000
access-control-allow-methods: GET, PUT, POST, DELETE, PATCH, OPTIONS
access-control-allow-headers: Origin, Content-Type, Accept, X-Requested-With, Authorization, Auth0-Client, X-Request-Language
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
cache-control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-transform
strict-transport-security: max-age=15724800
x-robots-tag: noindex, nofollow, nosnippet, noarchive
X-Firefox-Spdy: h2

The Access-Control-Allow-Origin header is not returned by Auth0.

In my Auth0 regular web application I have Allowed Web Origins and Allowed Origins (CORS) both set to http://localhost:3000 and, as you can see from the request above, that is the origin specified in the pre-flight request.

Why is Auth0 not returning Access-Control-Allow-Origin header with a value of http://localhost:3000?

Hi @DaveMuirhead,

It looks like this could be a browser issue like this SO issue:

Otherwise, can you share more about your setup? Which auth0 SDK you are using, which versions, how you are making the request (code can be helpful).

Can you let me know if this is the problem?

Thanks,
Dan

The pre-flight request I showed was executed using Curl. I intentionally factored all JavaScript frameworks out of the equation. So there is no Aurh0 SDK I’m the game at all in the case above.

However I will try the remedy in the linked post.

Okay, so I followed the idea in the linked post and added the following to /etc/hosts on my laptop:

127.0.0.1	localhost dave.brsg.io

And I added http://dave.brsg.io to Allowed Web Origins and Allowed Origins (CORS) in my Auth0 regular web application settings.

Then I ran the curl command again:

[502][davem: /Users/davem]$ curl -H "Origin: http://dave.brsg.io:3000/"  -H "Access-Control-Request-Method: GET"  -H "Access-Control-Request-Headers: X-Requested-With"  -X OPTIONS --verbose https://naboo.auth0.com/authorize?client_id=xxxxxxxDNNEQS2NyxHxxxxxxx&redirect_uri=http%3A%2F%2Flocalhost%3A4004%2Fapi%2Fauth%2Fauth0%2Fcallback&response_type=code&scope=openid+profile+email
[1] 1338
[2] 1339
[3] 1340
[2]-  Done                    redirect_uri=http%3A%2F%2Flocalhost%3A4004%2Fapi%2Fauth%2Fauth0%2Fcallback
[3]+  Done                    response_type=code
[503][davem: /Users/davem]$ *   Trying 34.213.13.63...
* TCP_NODELAY set
* Connected to naboo.auth0.com (34.213.13.63) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.auth0.com
*  start date: Jun 25 00:00:00 2020 GMT
*  expire date: Jul 25 12:00:00 2021 GMT
*  subjectAltName: host "naboo.auth0.com" matched cert's "*.auth0.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fbed5806600)
> OPTIONS /authorize?client_id=xxxxxNNEQS2NyxHxxxxxx HTTP/2
> Host: naboo.auth0.com
> User-Agent: curl/7.54.0
> Accept: */*
> Origin: http://dave.brsg.io:3000/
> Access-Control-Request-Method: GET
> Access-Control-Request-Headers: X-Requested-With
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< date: Wed, 01 Jul 2020 19:03:41 GMT
< content-type: text/plain; charset=utf-8
< content-length: 2
< server: nginx
< ot-tracer-spanid: 33b3aa172a32af73
< ot-tracer-traceid: 5cf7b9dc1fdf973b
< ot-tracer-sampled: true
< ot-baggage-auth0-request-id: 4d3dfa4accd8b1cc44bd4744
< x-auth0-requestid: f7e53029fd43b759bb84
< set-cookie: did=s%3Av0%3A94498f40-bbcd-11ea-a73b-310a06ceaa0e.lhGEq5ZcbNQqqjJCEYqtNEbCxyDc8W6yJNqSe2KpPZQ; Max-Age=31557600; Path=/; Expires=Fri, 02 Jul 2021 01:03:41 GMT; HttpOnly; Secure; SameSite=None
< set-cookie: did_compat=s%3Av0%3A94498f40-bbcd-11ea-a73b-310a06ceaa0e.lhGEq5ZcbNQqqjJCEYqtNEbCxyDc8W6yJNqSe2KpPZQ; Max-Age=31557600; Path=/; Expires=Fri, 02 Jul 2021 01:03:41 GMT; HttpOnly; Secure
< access-control-max-age: 1000
< access-control-allow-methods: GET, PUT, POST, DELETE, PATCH, OPTIONS
< access-control-allow-headers: Origin, Content-Type, Accept, X-Requested-With, Authorization, Auth0-Client, X-Request-Language
< etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
< cache-control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-transform
< strict-transport-security: max-age=15724800
< x-robots-tag: noindex, nofollow, nosnippet, noarchive
<
* Connection #0 to host naboo.auth0.com left intact
OK
[1]+  Done                    curl -H "Origin: http://dave.brsg.io:3000/" -H "Access-Control-Request-Method: GET" -H "Access-Control-Request-Headers: X-Requested-With" -X OPTIONS --verbose https://naboo.auth0.com/authorize?client_id=xxxxxxNNEQS2Nyxxxxxxx

I still did not get an Access-Control-Allow-Origin header in the response.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.