There was an error fetching the SSO data

jgeerts · 2018-04-18 16:20:46 UTC

Hello,

We’re trying to enable a custom url for our tennant, I did all the configuration required and everything seems set up right. When I go to the url I can see the following error.

There was an error fetching the SSO data. This could simply mean that there was a problem with the network. But, if a "Origin" error has been logged before this warning, please add "https://my.url.com" to the "Allowed Web Origins" list in the Auth0 dashboard: https://manage.auth0.com/#/clients/{myClientId}/settings

Adding the url to the “Allowed Web Origins” didn’t help. When I watch my network traffic I can see that the default url (https://my-tennant.eu.auth0.com/user/ssodata) is called but on my custom domain it isn’t.

We use the default Lock object with a customized login page with version 11.4.0 and the client I am testing this with is OIDC conformant.

Strange thing is that we have multiple tennants and on our dev tennant (our oldest tennant) with the same configuration it works and calls the endpoints that I expect. When I look at the configuration object that Auth0 fills in I can see one difference which seems strange but I don’t know what the reason is for it.

When I visit the custom url on DEV it switches, if I go to the tennant authorize endpoint it will get filled with the url that I’m visiting, but on our UAT tennant it seems static and is always being filled with the tennant endpoint.

“auth0Domain”: “my.url.com” (DEV environment, is getting filled with the endpoint I’m visiting)
“auth0Domain”: “my-tennant.eu.auth0.com” (UAT, always pointing to Auth0 tennant domain)

Anybody else having this issue or that knows what’s going on here?

jeremy.meiss · 2018-04-18 17:49:49 UTC

It’s interesting that you say that /ssodata is being called - one thing to know in case you didn’t already, is that specific endpoint is being depracated. We recommend that customers use Universal Login, (this guide, Universal vs Embedded Login, explains the pros and cons in more detail). See Migrating from Embedded to Universal here: Migrating to Universal Login.

Related more to your problem though, is that it sure seems like a configuration issue. Have you verified that your tenants are setup correctly between the two environments?

jgeerts · 2018-04-19 08:52:19 UTC

If my tennant would be set up incorrectly I would like to understand how. We are using the universal login with the hosted login page with the Lock object.

In the settings of my tennant I’ve disabled all the Migrations switches so it shouldn’t be able to use any deprecated api’s but it’s still calling the /ssodata endpoint successfully. It’s even calling the endpoint when I disable our customized hosted login page or when I use the Lock template provided as an example in the hosted login page.

What could be causing this?

thameera · 2018-04-19 13:09:36 UTC

Can you verify that you have done the additional configuration mentioned here: https://auth0.com/docs/custom-domains/additional-configuration#universal-login

Basically you need to correctly set configurationBaseUrl and overrides object.

Just to be clear, /ssodata is deprecated only with embedded login - not universal login; so you’re not doing anything wrong, only a misconfiguration most probably.

jgeerts · 2018-04-20 09:47:11 UTC

Good to know that the I’m not using any deprecated endpoints.

I’ve done the additional configuration yes, the extra configuration that is in our Lock object is the following:

Preformatted text
configurationBaseUrl: config.clientConfigurationBaseUrl,
overrides: {
__tenant: config.auth0Tenant,
__token_issuer: config.auth0Domain
}

It’s this config.auth0Domain which seems to be filled with the domain I’m visiting (custom or Auth0) on our DEV tennant while it’s always filled with the Auth0 domain on our ACC tennant.