Error: No verifier returned from client

Get Help
, ,
1

Hi there,

we are trying to use auth0.js for login. With Chrome it’s not a problem, but Firefox or Chrome incognito mode yields No verifier returned from client.

Here is our simple test setup:

index.html:

<html>
  <head>
    <script src="https://cdn.auth0.com/js/auth0/9.19.0/auth0.min.js"></script>
  </head>
  <body>
    <script>
      const auth = new auth0.WebAuth({
        domain: domain,
        clientID: clientId,
        redirectUri: `http://localhost:4200/callback`,
        audience: audience,
        scope: 'openid email profile',
        responseType: 'token id_token'
      });

      const state = JSON.stringify({
        redirectUrl: '/'
      });
      const nonce = "random";

      auth.login({
          realm: 'Username-Password-Authentication',
          username: username,
          password: password,
          redirectUri: `http://localhost:4200/callback`,
          state: state,
          nonce: nonce
        },
        err => {
          console.log(err);
        });
    </script>
  </body>
</html>

callback.html:

<html>
  <head>
    <script src="https://cdn.auth0.com/js/auth0/9.19.0/auth0.min.js"></script>
  </head>
  <body>
    <script>
      const auth = new auth0.WebAuth({
        domain: domain,
        clientID: clientId,
        redirectUri: `http://localhost:4200/callback`,
        audience: audience,
        scope: 'openid email profile',
        responseType: 'token id_token'
      });

      const state = JSON.stringify({
        redirectUrl: '/'
      });
      const nonce = "random";

      auth.parseHash({
        hash: window.location.hash,
        nonce: nonce,
        state: localStorage.getItem('state')
      }, (err, authResult) => {
        console.log(err);
        console.log(authResult);
      });
    </script>
  </body>
</html>

auth.parseHash returns the error:

{
    "error": "invalid_request",
    "errorDescription": "No verifier returned from client.",
    "state": "{\"redirectUrl\":\"/\"}"
}

We’ve set up a Cross-Origin Verification Fallback like this:

<!DOCTYPE html>
<html>

<head>
  <script src="https://cdn.auth0.com/js/auth0/9.0.0/auth0.min.js"></script>
  <script type="text/javascript">
    var auth0Client = new auth0.WebAuth({
      domain: domain,
      redirectUri: redirectUri,
      clientID: clientId,
      responseType: 'token'
    });
    auth0Client.crossOriginVerification();
  </script>
</head>

<body></body>

</html>

Anything we’re doing wrong? It not only happens on localhost, also on staging environment.

2

Hello, We do have exactly the same problem. Even though we do have custom domain set, we do have cross origin verification file hosted on the same location as the embedded sign up lock form. for example

(https://3d24-78-130-209-11.ngrok.io/auth0/index.html) contains the Cross-Origin Verification Fallback
(https://3d24-78-130-209-11.ngrok.io/register) contains the embedded lock form.

And still if you try to perform operation login / sign up via the form you get redirected with

authorize/resume?state=XXXX with header location
/register#error=invalid_request&error_description=No verifier returned from client
3

Hey, the same issue here, have anyone found a solution?

4

Did you have a fix on this issue?

6

Hi @sabina96clerk, and thank you for bringing this subject back to light so we can provide a solution!

The root cause of the “No verifier returned from client” error is that the method uses auth.login() with a username and password and relies on cross-origin authentication using third-party cookies.

Modern browsers, particularly Firefox (with Enhanced Tracking Protection) and Chrome Incognito mode, block third-party cookies by default for privacy reasons. This breaks the communication channel that auth0.js uses to complete the login, leading to the error you’re seeing. The “Cross-Origin Verification Fallback” is a legacy mechanism that also struggles with these modern privacy restrictions and cannot fix this underlying issue.

To fix this reliably across all browsers, you must switch from the cross-origin auth.login() method to the redirect-based Authorization Code Flow. This flow does not depend on third-party cookies and is the current best practice.

The change is straightforward: instead of logging the user in behind the scenes, you will redirect them to the Auth0 Universal Login page to enter their credentials. So you need to replace the webAuth.login() call with webAuth.authorize(). This method will handle redirecting the user to your Auth0 login page.

Please take a look at our docs for an example.

I hope this helps you!
Teodor.