Based on the information provided the error is coming from Auth0.js library when it tries to perform ID token validation. In order to validate an ID token signed with RS256 the library needs to obtain the public key associated with the private key that actually signed the ID token and for that the library performs a network call to a well-known endpoint where the public key can be obtained. A CORS issue with that network request would explain the error message, however, I was not able to reproduce this in my tests.
The recommendation would be for you to update the question with:
- the exact Auth0.js version being used.
- the callback URL’s configured in the client application and any Allowed Origins (CORS) URL’s you might also configured.
- the URL being used to access the application/where the application is running.
- an HTTP capture of an authentication flow that leads to the error in question.
Be sure to remove any sensitive information from the captured trace and you can also redact/mask some of the URL as long as you do it consistently in all places it is used. In addition, you can share the HTTP trace in a password protected file and then only allow @auth0.com email addresses access to the password by using sharelock.io service.