Well, for anybody interested, this was fixed inserting a fake url as a callback and enabling it as a callback in the web lock config, something like this:
var lock = new Auth0Lock(lock_id, 'meterian.auth0.com', {
auth: {
redirect: false,
**responseType: 'token',**
**redirectUrl: your_fake_url_here**
},
allowSignUp: true,
container: 'login-container',
rememberLastLogin: false,
theme: {
logo: '/images/logo.png',
primaryColor: 'blue'
}
});
Remember also the responseType: ‘token’ bit. See some details of a similar issue raised on Github here:
opened 12:00AM - 14 Mar 18 UTC
closed 04:50PM - 16 Mar 18 UTC
So we're migrating from Lock 10 to Lock 11.
And sign in only works for the new … Lock if the current page URL is present in the "Allowed Callback URLs" list.
Which doesn't make much sense because we've configured Lock to be `{ auth: { redirect: false } }` and still it's outputting this error:
`iframe-handler.js:53`
GET https://college-consortium-students-develop.auth0.com/authorize?client_id=8ByEbGpPAG0Kne2GPmaN6GACEdNajB5a&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fsections%2F2684%2Fregister&state=45L8V6~wiPvb7m6rJEbmH~nMAFYTnd7a&scope=openid%20email%20app_metadata&realm=Username-Password-Authentication&login_ticket=K9Dez9nTJus8wnkPAYmd8o7eaJycKgLz&response_mode=web_message&prompt=none&auth0Client=eyJuYW1lIjoibG9jay5qcyIsInZlcnNpb24iOiIxMS4zLjAiLCJsaWJfdmVyc2lvbiI6IjkuMy4wIn0%3D 403 ()
So, "Allowed Callback URLs" is all about callbacks and we don't need any callbacks.
Still there's a forced `redirect_url` parameter in the URL and my guess is that it's the trigger for the 403 status error on Auth0 server side.
Perhaps if Lock didn't send any `redirect_url` parameter then it wouldn't respond with a 403 error.