Jwks.json CORS issue

I am using the React SPA guide as a template: Auth0 React SDK Quickstarts: Login

I am redirected to the hosted login page and login successfully. However, when I try to process the token, the XHR is blocked with this error:

“Request has been terminated
Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.”

The URL of the request is: https://MY_AUTH0_DOMAIN/.well-known/jwks.json

What am I doing wrong? I have the domain listed as an Allowed Origin (CORS) in the auth0 panel.

This is especially bad on mobile safari iOS as it causes an infinite login loop. On desktop it seems to fail the first time but then reload the page and work the second time.

1 Like

I did a few tests with a SPA (granted it was not React, but that does not seem relevant for the situation in question) and I was not able to reproduce any issue in relation to CORS failing for the jwks.json request. I didn’t even use the Allowed Origin (CORS) explicitly and just relied on the fact that the origin associated with my SPA callback URL would be eligible automatically to call that endpoint.

I also inspected the actual requests in the browser tools and the CORS header allowing my SPA origin were being sent as expected and the browser was completely okay with retrieving the JWK’s. You may want to review if the callback URL’s and the application origin is white-listed correctly, in particular, correctly check that the scheme, host and port from where you’re running the application is indeed allowed, because a simple port difference could explain this.


I was informed that you may get into this situation when using some older versions of Firefox (44 as an example) in a Windows environment; somehow the browser would not send the origin header so if you hit this you may want to exclude this possibility by ensuring you’re in an up to date browser.