Auth0 Home Blog Docs

Invalid Token (request has been terminated)



After updating rememberLastLogin for my hosted login page, I began receiving an odd error. This is especially puzzling, because unless I accidentally updated something else, I made no other changes to my code, the client, or the hosted login other than removing social network connections. Regardless, I went back and reverted those changes to no avail. Currently I am using React with Auth.js version 8.
Here is the function in which the error occurs:

handleAuthentication(nextState, replace) {
  if (/access_token|id_token|error/.test(nextState.location.hash)) {
    this.props.auth.auth0.parseHash((err, authResult) => {
      if (authResult && authResult.accessToken && authResult.idToken) {
      } else if (err) {
        this.setStateVal('loggedIn', false)

and here is the error message:

error :
"Request has been terminated↵Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.

Any questions or ideas would be much appreciated. This has me completely stumped.


Based on the information provided the error is coming from Auth0.js library when it tries to perform ID token validation. In order to validate an ID token signed with RS256 the library needs to obtain the public key associated with the private key that actually signed the ID token and for that the library performs a network call to a well-known endpoint where the public key can be obtained. A CORS issue with that network request would explain the error message, however, I was not able to reproduce this in my tests.

The recommendation would be for you to update the question with:

  • the exact Auth0.js version being used.
  • the callback URL’s configured in the client application and any Allowed Origins (CORS) URL’s you might also configured.
  • the URL being used to access the application/where the application is running.
  • an HTTP capture of an authentication flow that leads to the error in question.

Be sure to remove any sensitive information from the captured trace and you can also redact/mask some of the URL as long as you do it consistently in all places it is used. In addition, you can share the HTTP trace in a password protected file and then only allow email addresses access to the password by using service.