No 'Access-Control-Allow-Origin' header issue

@aranderia15 @ajv please ensure that the origin is configured in the Allowed Web Origins and/or Allowed Origins (CORS) settings in the respective Application (the and/or depends on what APIs you are using).

If that doesn’t help please include more details such as: what API are you using? are you sending a client_id and is the origin configured in the respective Application? what SDK or client are you using to make the request? what is the actual error or behaviour that you are encountering?

1 Like

For us, it turned out to be an outage with the /.well-known/jwks.json endpoint instead - Regression: The .well-known/jwks.json file throws 502 Bad Gateway

This has been resolved for us :ok_hand:

1 Like

Thanks for sharing that with the rest of community!

I am still having this issue. But if I use chrome in incognito mode I can just login like normal.

1 Like

'And now it just works I didn’t really changed anything ¯_(ツ)_/¯

1 Like

And now it is only working if I sign in with google

1 Like

This might be it a chrome issue.

1 Like

Hey Guys, I am facing the same error but coming from a different place. After trying to signup with any special character (öéÖä) I started to see the error and no user are able to log in even cleaning the local cache.

Access to XMLHttpRequest at 'https://auth-dev. (index):1 [ourDomain]/usernamepassword/challenge" from origin [ourDomain] has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I don’t know if it might help, but in order to avoid CORS issues, we added a custom domain to our application

I’m running into this error as well when attempting to upgrade our version of auth0-lock. I dug in a bit, and the breaking change seems to occur between Release v11.19.0 · auth0/lock · GitHub and Release v11.20.0 · auth0/lock · GitHub. I assume it is the underlying sdk upgrade.

I have confirmed that my domains are added to both Allowed Web Origins and Allowed Origins (CORS).


The same error using Wordpress Auth0 plugin and Embedded form with shortcode.

For Universal Login page - works fine
Domains added to Allowed Web Origins and Allowed Origins (CORS) .

This is happening because of the CORS 3 (Cross Origin Resource Sharing) . For every HTTP request to a domain, the browser attaches any HTTP cookies associated with that domain. This is especially useful for authentication, and setting sessions. You are doing an XMLHttpRequest to a different domain than your page is on. So the browser is blocking it as it usually allows a request in the same origin for security reasons. You need to do something different when you want to do a cross-domain request.

JSONP ( JSON with Padding ) is a method commonly used to bypass the cross-domain policies in web browsers. You’re on domain, and you want to make a request to domain example.nett . To do so, you need to cross domain boundaries. JSONP is really a simple trick to overcome the XMLHttpRequest same domain policy. So, instead of using XMLHttpRequest we have to use < script > HTML tags, the ones you usually use to load JavaScript files , in order for JavaScript to get data from another domain.


If you need to enable CORS on the server in case of localhost, you need to have the following on request header.

Access-Control-Allow-Origin: http://localhost:9999

Also, this kind of trouble is now partially solved simply by using the following jQuery instruction:

    $.support.cors = true;

Thanks for sharing that with the rest of community!

I’ve had this issue with Rails 7.0. Turbo was interfering with the CORS process.

I switched off Turbo for the button:

-<%= button_to 'Login', '/auth/auth0', method: :post %>
+<%= button_to 'Login', '/auth/auth0', method: :post, data: { turbo: "false" } %>

It now works!


Woooohooo! Glad it worked and thanks for sharing!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.