Thanks a lot for the quick reply, Markus.
This indeed seems like a workaround we could use as well. I guess the downside is that you’re never really able to ‘silently’ fetch the token any more? e.g. every time the page is loaded, a redirect to the login page (and back to the main app) happens?
I guess another option would be to set up some proxy service for the authentication, which doesn’t run in isolated mode and
- either runs on the same origin
- or adds the necessary CORP headers to the response
But this obviously has some security implications if not implemented well…
Quite a pity that auth0 doesn’t support these CORP settings. Doesn’t seem like a hard thing to do.