Error: No verifier returned from client

tobias.walter · July 27, 2022, 8:40am

Hi there,

we are trying to use auth0.js for login. With Chrome it’s not a problem, but Firefox or Chrome incognito mode yields No verifier returned from client.

Here is our simple test setup:

index.html:

<html>
  <head>
    <script src="https://cdn.auth0.com/js/auth0/9.19.0/auth0.min.js"></script>
  </head>
  <body>
    <script>
      const auth = new auth0.WebAuth({
        domain: domain,
        clientID: clientId,
        redirectUri: `http://localhost:4200/callback`,
        audience: audience,
        scope: 'openid email profile',
        responseType: 'token id_token'
      });

      const state = JSON.stringify({
        redirectUrl: '/'
      });
      const nonce = "random";

      auth.login({
          realm: 'Username-Password-Authentication',
          username: username,
          password: password,
          redirectUri: `http://localhost:4200/callback`,
          state: state,
          nonce: nonce
        },
        err => {
          console.log(err);
        });
    </script>
  </body>
</html>

callback.html:

<html>
  <head>
    <script src="https://cdn.auth0.com/js/auth0/9.19.0/auth0.min.js"></script>
  </head>
  <body>
    <script>
      const auth = new auth0.WebAuth({
        domain: domain,
        clientID: clientId,
        redirectUri: `http://localhost:4200/callback`,
        audience: audience,
        scope: 'openid email profile',
        responseType: 'token id_token'
      });

      const state = JSON.stringify({
        redirectUrl: '/'
      });
      const nonce = "random";

      auth.parseHash({
        hash: window.location.hash,
        nonce: nonce,
        state: localStorage.getItem('state')
      }, (err, authResult) => {
        console.log(err);
        console.log(authResult);
      });
    </script>
  </body>
</html>

auth.parseHash returns the error:

{
    "error": "invalid_request",
    "errorDescription": "No verifier returned from client.",
    "state": "{\"redirectUrl\":\"/\"}"
}

We’ve set up a Cross-Origin Verification Fallback like this:

<!DOCTYPE html>
<html>

<head>
  <script src="https://cdn.auth0.com/js/auth0/9.0.0/auth0.min.js"></script>
  <script type="text/javascript">
    var auth0Client = new auth0.WebAuth({
      domain: domain,
      redirectUri: redirectUri,
      clientID: clientId,
      responseType: 'token'
    });
    auth0Client.crossOriginVerification();
  </script>
</head>

<body></body>

</html>

Anything we’re doing wrong? It not only happens on localhost, also on staging environment.

radko.lyutskanov · December 15, 2022, 3:16pm

Hello, We do have exactly the same problem. Even though we do have custom domain set, we do have cross origin verification file hosted on the same location as the embedded sign up lock form. for example

(https://3d24-78-130-209-11.ngrok.io/auth0/index.html) contains the Cross-Origin Verification Fallback
(https://3d24-78-130-209-11.ngrok.io/register) contains the embedded lock form.

And still if you try to perform operation login / sign up via the form you get redirected with

authorize/resume?state=XXXX with header location
/register#error=invalid_request&error_description=No verifier returned from client