Https://<subdomain>.eu.auth0.com/usernamepassword/challenge being called and returning 404 initialising Auth0 Lock

Please include the following information in your post:

  • Which SDK this is regarding: e.g. Auth0 Lock for Windows and auth0.js
  • SDK Version: e.g. 11.29.1 and 9.15.0
  • Code Snippets/Error Messages/Supporting Details/Screenshots:

On initialising password based login using Lock I always see the following CORS error emitted within the browser caused by 404

Access to XMLHttpRequest at 'https://MY_AUTH_DOMAIN.eu.auth0.com/usernamepassword/challenge' from origin 'https://MY_APP_DOMAIN/' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
auth0.min.esm.js?b0af:8 POST https://MY_AUTH_DOMAIN.eu.auth0.com/usernamepassword/challenge net::ERR_FAILED
Request._end @ auth0.min.esm.js:13
Request.end @ auth0.min.esm.js:13
RequestObj.end @ auth0.min.esm.js:13
Authentication.getChallenge @ auth0.min.esm.js:13
getChallenge @ p2_api.js:205
getChallenge @ web_api.js:75

I’ve made lots of attempts to address the CORs setting the appropriate calling domains in the Auth0 application config but finally determined it is a 404, not a CORs problem.

I’m unsure if it is having any negative impact. Logins seem to work ok.

I’ve found previous reports of this in the community, but none of those seemed to come to a conclusion. The best comment seems to be this one.

It seems related to this code so I tried not setting the state parameter in the Lock options and that does stop the error being logged, however I want to use the state parameter so that is not a solution.