I’m working with the auth0-spa-js library (version 1.13.6) and I keep getting the error “The specified redirect_uri ‘http://lvh.me:8080’ does not have a registered origin.”
After a quick search I realized that I need to set the URL in the Allowed Web Origin URLs, because of the checkSession method.
Is there a particular reason for that? Why is that necessary?
The thing is, on the first login, i.e. when there is no auth0 cookie set, the error does not appear. But after the user has logged in, the error shows up.
checkSession requires the “Allowed Web Origin URLs” setting to handle web message response mode. Auth0’s JS SDKs request tokens silently within an iframe to acquire a new Access Token/ID Token for the authenticated user. The Auth0 SDK will process the response and pass the result to a callback function provided by the app. In order for this to occur, the web origin is necessary for the message from the iframe to be posted to the application due to CORS.