Auth0 Home Blog Docs

Username and Password Login in hosted page sending 403 error


We have tried every possible combination and resource but currently auth0 sends a 403 on every login or sign up attempt, even when trying the database connection (calling /authorize)

We are using a hosted page since a year and the problem seems to appear just recently.

I tried upgrading to lock 11, copy pasting params and default states and nothing, currently this is the code used (hiding username and password login to avoid the bug):

<!DOCTYPE html>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
  <title>Identifícate para Navegar</title>
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />

  <!--[if IE 8]>
  <script src="//"></script>

  <!--[if lte IE 9]>
  <script src=""></script>
  <script src=""></script>
  <script src=""></script>
    // Decode utf8 characters properly
    var config = JSON.parse(decodeURIComponent(escape(window.atob('@@config@@'))));
    config.extraParams = config.extraParams || {};
    var connection = config.connection;
    var prompt = config.prompt;
    var languageDictionary;
    var language = "ES";
    var params = {scope: 'openid profile'};
                  params.state =;
    if (config.dict && config.dict.signin && config.dict.signin.title) {
      languageDictionary = { title: config.dict.signin.title,
                             signUpTerms: "He leído y acepto los <a href='' target='_new'>Términos de Uso</a> del servicio."
    } else if (typeof config.dict === 'string') {
      language = config.dict;
    var loginHint = config.extraParams.login_hint;
    var lock = new Auth0Lock(config.clientID, config.auth0Domain, {
      auth: {
        redirectUrl: "",
        responseType: 'code',
        params: params,
        audience : "",        
      assetsUrl:  config.assetsUrl,
      rememberLastLogin: !prompt,
      language: language,
      languageDictionary: languageDictionary,
      theme: {
        logo: '',
        primaryColor:    'green',
      mustAcceptTerms: true,
      oidcConformant: false,
      allowShowPassword: true,
      autofocus: true,   
      sso: false,
      allowedConnections: ['facebook','twitter'],     
      socialButtonStyle: 'big',
      prefill: loginHint ? { email: loginHint, username: loginHint } : null,
      closable: false,
      // uncomment if you want small buttons for social providers
      // socialButtonStyle: 'small'