Why does checkSession require explicitly Allowed Web Origin to be set?

I’m working with the auth0-spa-js library (version 1.13.6) and I keep getting the error “The specified redirect_uri ‘http://lvh.me:8080’ does not have a registered origin.”

After a quick search I realized that I need to set the URL in the Allowed Web Origin URLs, because of the checkSession method.

Is there a particular reason for that? Why is that necessary?

The thing is, on the first login, i.e. when there is no auth0 cookie set, the error does not appear. But after the user has logged in, the error shows up.

Hi @pavel.nikolov,

checkSession requires the “Allowed Web Origin URLs” setting to handle web message response mode. Auth0’s JS SDKs request tokens silently within an iframe to acquire a new Access Token/ID Token for the authenticated user. The Auth0 SDK will process the response and pass the result to a callback function provided by the app. In order for this to occur, the web origin is necessary for the message from the iframe to be posted to the application due to CORS.

Here you can read more about how silent authentication works: Configure Silent Authentication

Note: auth0-spa-js uses the method getTokenSilently instead of checkSession, but the same web message response mode is used in both methods. Docs: Migrate from Auth0.js to the Auth0 Single Page App SDK