Https://<subdomain>.eu.auth0.com/usernamepassword/challenge being called and returning 404 initialising Auth0 Lock

Please include the following information in your post:

  • Which SDK this is regarding: e.g. Auth0 Lock for Windows and auth0.js
  • SDK Version: e.g. 11.29.1 and 9.15.0
  • Code Snippets/Error Messages/Supporting Details/Screenshots:

On initialising password based login using Lock I always see the following CORS error emitted within the browser caused by 404

Access to XMLHttpRequest at 'https://MY_AUTH_DOMAIN.eu.auth0.com/usernamepassword/challenge' from origin 'https://MY_APP_DOMAIN/' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
auth0.min.esm.js?b0af:8 POST https://MY_AUTH_DOMAIN.eu.auth0.com/usernamepassword/challenge net::ERR_FAILED
Request._end @ auth0.min.esm.js:13
Request.end @ auth0.min.esm.js:13
RequestObj.end @ auth0.min.esm.js:13
Authentication.getChallenge @ auth0.min.esm.js:13
getChallenge @ p2_api.js:205
getChallenge @ web_api.js:75

I’ve made lots of attempts to address the CORs setting the appropriate calling domains in the Auth0 application config but finally determined it is a 404, not a CORs problem.

I’m unsure if it is having any negative impact. Logins seem to work ok.

I’ve found previous reports of this in the community, but none of those seemed to come to a conclusion. The best comment seems to be this one.

It seems related to this code so I tried not setting the state parameter in the Lock options and that does stop the error being logged, however I want to use the state parameter so that is not a solution.

1 Like

We are also having this same issue with the exact analyses of Steve8:

  • Some code in Lock is calling getChallenge() from auth0 core library. Link in Steve’s post.
  • The call does nothing if state is null
    • We cannot have this: We need the state
  • If state is not null, the code calls /usernamepassword/challenge
    • At least on custom domain servers there is no such functionality => 404, which shows as CORS error
  • The code appears in 11.20, 11.19 works without errors.

I was trying to upgrade from 11.3 to the latest 11.30. At the moment we cannot have these extra errors coming into our log because such false errors can hide real problems. In security related code that is unacceptable. So I have to revert back to 11.19. That is from 2019, so it is a bit disappointing.

Hi Olli

FYI I spoke to Auth0 support about this recently and they acknowledged that it happens and is a false error and said…

The error you see will not affect the regular login flow as you have already experienced it.

This error is due to how the SDK is written. Our SDK tried to incorporate all the features like captcha and brute force protection and advance features. Not all the fractures are available to all the tenants. Some of them are based on which plan you are on.

The /usernamepassword/challenge is the captcha endpoint which is only available to Enterprise customers as an addon. As this feature is not enabled on your tenant, you see the error message.
Rest assured this will never affect your authentication flow.

Feels like the SDK needs some sort of config options so you can instruct it which plan / feature set it should be acting on.

Thanks for relaying it to the rest of community!