Hi community,
I have an issue that suddenly I get a CORS error when requesting “/.well-known/jwks.json”. Access to fetch at 'https://<acc>.auth0.com/.well-known/jwks.json' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Hi,
I have the same issue as of today.
I noticed that if I use https it is not happening, but it is not ideal as it more convenient to use http for local development.
You can try it as a workaround for the meantime though…
Having exactly the same issue as of today. And it’s stopping local development since we’re heavily integrated with Auth0.
Published/hosted versions seem to still work fine, they are running on the same URL however, not API/Front end running on different URLs for local development, probably thus the CORS error?
One of our users is experiencing the same issue today, on Friday it was working fine. Can the issue be affecting only users from specific locations?
The user affected is from Jordan, other users from Spain, Ghana and India are logging in fine.
I’m having the exact same issue with my production environment.
I’m using two different tenants for dev and production, but the app settings in Auth0 are the same in both.
Dev works, production doesn’t.
I also tried using older code that used to work with current setup and it doesn’t anymore.
So I’m risking a guess it’s not on my side. Did an update go live over the weekend or something?
EDIT:
There has been an update to Universal Login on the 14th according to the changelog.
EDIT 2: auth0-js ver. 9.12.2
But as I mentioned before - the same code works on one tenant but not on another with the same settings.
I am having the same issues since upgrading from Chrome 87.0.4280.88 to Chrome 87.0.4280.141 today. Also have co-workers and customers reporting issues. Anything I can do in my setup to remedy, or it is on Auth0’s end?
Encountered in Chrome and Edge, for some specific users on some specific environment.
It is a BIG issue right now and we have no visibility on what could have gone wrong.
We have an increasing number of users concerned by the error - as it seems to be “sticky”.
Please report all your cases to Auth0, they need to investigate at this point.
It indeed looks like auth0’s cloudflare configuration problem. /.well-known/jwks.json request doesn’t return any CORS headers, and changing settings doesn’t reset the cache (getting the same x-auth0-requestid)
Sorry for all the inconvenience! Let me dive into it with our engineering teams! Can you update your posts with the SDKs that you are using in your implementations?
From the looks of it, “origin” header plays a role in auth0’s cloudflare configuration, so using an alias for hostname, and adding it to CORS settings in admin panel would be a temporary solution to bypass cloudflare cache. Testing it now.
This, of course, would be only relevant for teams that can rename the service URL.
WARNING: This is a hack. Revert when Auth0 has fixed the issue.
To everyone who ends up here with the same issue in production, here is a workaround while Auth0 team fixes the issue:
Download the current version of your jwks.json file (generally available at https://your_app.your_region.auth0.com/.well-known/jwks.json) and store it on your domain to avoid CORS issues, or somewhere where you can easily set CORS headers (for instance S3).
Then, client-side, when instantiating WebAuth, use a private setting to tell it where to find the jwks file:
