Auth0 Home Blog Docs

Passwordless Cors and/or https requirements?

passwordless
passwordless-email
passwordless-sms

#1

My application (Vue.js / SPA) requires passwordless auth and I’m trying to test out a simple hello-world to no avail. I’ve gone through all the docs, set up my code as shown here:

I get my auth code via SMS successfully, but when calling passwordlessLogin(), I get this error in Chrome:

Access to XMLHttpRequest at ‘https://mysite.auth0.com/co/authenticate’ from origin ‘http://localhost:8080’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource

Same issue whether using Custom UI or Lock. Also same issue whether using HTTPS or even a custom domain/host on my local machine (https://example.com:8080)

And of course, don’t ask: yes I have my URL (http://localhost:8080) set as a Callback in my Application Settings, and also in the Allow Origins CORS section (supposedly redundant, but whatev).

Pulling hair out, wasting hours… what am I missing???


#2

You mention you added the origin http://localhost:8080 in the Allowed Callback URLs and in the Allow Origins (CORS) (they are not redundant) but I have to ask… Did you add the origin to the Allowed Web Origins setting? That’s the one required for the Cross-Origin Authentication (/co/authenticate) protocol to work.


#3

Holy cow. Total noob, yes, that was it. I obviously knew the importance of setting the URLs in there, but I was hyper-focused the one labeled “CORS” and not the “Web” origins.

Thanks.

Now to figure out how to disable “consent” when the login is made from my known domain, 1st-party app…


#4

Take a look here, but you can’t skip the consent dialog if using localhost.


#5

Wow, yes, that would have been a head scratcher regarding localhost.

I tried it by setting a local custom domain as a test and indeed, the consent screen was skipped!

Many thanks!