Auth0 Home Blog Docs

Incorrect error message when disabling legacy lock? (CORS)


#1

When trying to disable the legacy lock API we see the following output in logs:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://domain.auth0.com/user/ssodata/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

There was an error fetching the SSO data. This could simply mean that there was a problem with the network. But, if a “Origin” error has been logged before this warning, please add “http://localhost:8080” to the “Allowed Origins (CORS)” list in the Auth0 dashboard: …

The http://localhost:8080 domain is definitely within the textarea next to the Allowed Origins (CORS) option.

I’m wondering if this is a problem with the error message, or if there is some way that we can further debug this?


#2

I had same issue and this fixed it - basically, use webAuth.passwordlessLogin instead of webAuth.passwordlessVerify. Not sure if it applies in your case.

From message by @kim.noel:

" @vantechstudio were you able to solve your issue? For others seeing this, we should be able to use webAuth.passwordlessLogin instead of webAuth.passwordlessVerify and that should fix this issue moving forward."


#3

Thanks. Seems we’re using the lock.js APIs though, which should already leverage passwordlessLogin under the hood?


#4

One thing was in my case I was directly calling passwordlessVerify instead of passwordlessLogin. From that code it looks like it should not have mattered, so I’ll need to check again to see where I was in the troubleshooting process when it helped. I seem to remember that it was the last thing that finally got it all going again.

Also - as for the CORS stuff, does the textbox you’re referring to gave the label “Allowed Web Origins”?