We capture user sessions and are seeing multiple instances of 401 errors, and finally managed to replicate locally and get more information. Here’s the error message we’re seeing:
Failed to load resource: the server responded with a status of 401 () main.cc1f3730e8f97b935bc8.bundle.js:2 ServerError: Response not successful: Received status code 401 at t.throwServerError (npm.apollo.e827d4c1dd736c63e8b6.bundle.js:1:93277) at npm.apollo.e827d4c1dd736c63e8b6.bundle.js:1:87549 (anonymous) @ main.cc1f3730e8f97b935bc8.bundle.js:2 overview:1 Access to XMLHttpRequest at 'https://redacted.us.auth0.com/oauth/token' from origin 'https://redacted.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
This doesn’t happen very often, so I feel confident it’s not a configuration issue.
https://redacted.com is included in Allowed Callback URLs, Allowed Logout URLs, Allowed Web Origins, and Allowed Origins (CORS).
I also feel confident it’s not a token refresh issue; I’ve set token expiration to a shorter duration and witnessed the refresh process working just fine.