I get my auth code via SMS successfully, but when calling passwordlessLogin(), I get this error in Chrome:
Access to XMLHttpRequest at ‘https://mysite.auth0.com/co/authenticate’ from origin ‘http://localhost:8080’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource
Same issue whether using Custom UI or Lock. Also same issue whether using HTTPS or even a custom domain/host on my local machine (https://example.com:8080)
And of course, don’t ask: yes I have my URL (http://localhost:8080) set as a Callback in my Application Settings, and also in the Allow Origins CORS section (supposedly redundant, but whatev).
Pulling hair out, wasting hours… what am I missing???
You mention you added the origin http://localhost:8080 in the Allowed Callback URLs and in the Allow Origins (CORS) (they are not redundant) but I have to ask… Did you add the origin to the Allowed Web Origins setting? That’s the one required for the Cross-Origin Authentication (/co/authenticate) protocol to work.
Holy cow. Total noob, yes, that was it. I obviously knew the importance of setting the URLs in there, but I was hyper-focused the one labeled “CORS” and not the “Web” origins.
Thanks.
Now to figure out how to disable “consent” when the login is made from my known domain, 1st-party app…