Problems after setting up Custom Domain : no app_metadata & CORS policy issue

After setting up Custom Login, the app_metadata stopped being passed to my site.

I know there is a rule that auth0 authorization extension automatically creates, and it has an EXTENSION_URL variable that is still assigned to the default domain, do I have to change this?

There is also a problem on signup it returns a CORS policy error, but I already set up the domain to be added on the Allowed Web Origins.

All the documented changes about Custom Domain have been done, is there anything more I should be doing?

Hi @ben12 and thanks for reaching out,

I know you had mentioned seeing to all the documented changes so apologies if you’ve already reviewed this doc, but could you confirm your custom login has been updated appropriately? That material covers a number of other aspects surrounding custom login and domains. If you’ve already gone through those resources, would you mind sending me your tenant name in a DM? I might be able to see a bit better what’s happening that way.

I’m also linking to our rules in relation to the authorization extension, I don’t see mention of a default rule that gets created automatically what’s the rule name that got created when you installed the extension?

Sorry I don’t have an immediate fix but please review the material, and I’ll be happy to assist further once I know a bit more.


Yup my universal login page is already using the custom domain I’ve set up, and also added the overrides and added the URLs on the Application setting. I’ll send you the tenant name in a DM.

The rule name is “auth0-authorization-extension” and on the comments at the top of it, it says “This rule been automatically generated by auth0-authz-extension.”

Hi @ben12,

Thanks very much for the tenant info, I wasn’t able to see anything right away that points to the issue. Just to confirm based on your first message, the app_metadata stopped being passed once you set up your Custom Domain or your Custom Login page? The message seems to reference both and could point to different issues.

As per your rule, which I now understand was just generated once you had gone through the configuration steps outlined here. I’d be curious if you’ve tried placing some console.logs particularly around the getPolicy() function to see if you the values being passed are what’s expected.

If you could also supply me with a .har that records the complete network transaction of a login attempt. It would also be quite helpful if you could capture a .har of a successful transaction where you don’t use the Custom Login/Custom Domain (whichever one was the breaking change) that way I can compare the traces and see where it’s breaking. Please send any .hars in a DM and remove any sensitive information prior.