CORS errors #400
Comments
|
Hi,
We've been wrestling with this for days now and leaning towards the idea
that it's the fault of the bitnami wordpress distro.
Are you aware of what wordpress flavor the plugin is/was tested with?
because it for sure doesn't work out of the box on bitnami.
my domain is monoclemoney.auth0.com if that helps.
…On Mon, Feb 19, 2018 at 2:23 PM, Josh Cunningham ***@***.***> wrote:
@dmead <https://github.com/dmead> - That error message is saying that the
requested resource, https://<my-domain>.auth0.com/passwordless/verify, is
not allowing your site to access it. I'm guessing that your dashboard is
not set to allow your site to access. You want to make sure that your login
page is listed under *Allowed Callback URLs* in the Client settings (that
should have been set by default when it was setup).
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#400 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAKzMosIRYZr794gX9lWOb4vVcGBIgJ2ks5tWcpEgaJpZM4SKJn8>
.
|
|
I've done a fresh install of the latest wordpress with the latest auth0 plugin. Still the same error. Even doing stuff like below in apache doesn't help. Gets fail on cross site policy and posts fail pre-flight checks.
Any ideas? Should this need cors adjustments at all? |
|
@dmead - Apologies for the delay here. The CORS error is coming from the Auth0 server, it's saying that your domain is not allowed to access the Auth0 server. This is to be expected for everything except your domain, once it's been added. Just so we're on the same page, make sure that:
All that said, I'm also seeing this error on my local install ("headless" WP setup similar to this, nothing out of the ordinary) so I'll need to investigate a bit to see why this is happening. It's possible that it's a configuration issue that can be corrected easily but I need to hunt down what's missing. One thing to note ... the newest version of Lock (the JavaScript that powers the login form) has passwordless built in so an upgrade to the plugin to account for that will be coming soon. I'll fast-track testing that and see if I can get a patch your way if the configuration doesn't pan out. |
|
We have all that setup and the CORS headers configured in apache. Twilio works because i can get an authorization code, but on submit it fails CORS policy like a POST should (pre flight blah blah). And like I said, the entire process works if i just disable cors on the browser, so it's not the configuration. I've even tried patching the plugin so it serves the javascript from my apache instance (no auth0 cdn involved) and it still errors out. If you'd like more specific debug info i'd be happy to provide privately. |
|
I've tried your suggest changes and had the same result |
|
Again, your Apache configuration doesn't need to change as this is a call from your browser to Auth0, won't make a difference either way. Also, where the JS loaded won't matter for this either (though there is a field in the plugin that allows you to change that). For the "disable cors on the browser," I'm sorry I mis-read that originally, I thought you said it didn't work that way. I think you're probably affected by this: https://auth0.com/docs/cross-origin-authentication I'll do some testing today or Monday and see if I can't help you get this figured out. |
|
@joshcanhelp did you some tests already? |
|
Apologies for the delayed response here. I'm seeing the same issue you're having @dmead and have been digging into a fix over the last week. I think the problem stems from newer tenants not having access to older API endpoints. The library that runs passwordless in this plugin is out-of-date and has since been merged with the main library that runs that login page, Lock. All that to say: this needs some work on our end and it's high priority to get that working. It will need some thorough testing but we'll make sure it's in the next release. I might be able to package it up into a plugin to try out before it and, if I'm able, I'll post instructions here. Thanks for your patience! |
|
Edit: removed the testing plugin link. Please use the |
|
@joshcanhelp I was having the same issue on a WPengine staging environment and applied your fix. Works like a charm! I did still get an error on the initial load of the page, but login worked regardless:
|
|
Good to hear! That error won't affect logging in, it's just trying to get the country to auto-fill values. Check your CORs setting in the dashboard to make sure you've got everything configured. @dmead @alerdenisov - Are you able to test this out to see if it solves your issue? |
|
Fixed in #434 and merged into |
|
Hi @joshcanhelp, I know this was closed and probably my comment is I've configured Allowed Callback URLs already, and I'm using a custom domain. However even with the .auth0.com I get the CORS Issue with the passwordless.verifyCode function. Question 1: Is it possible to add the Access-Control-Allow-Origin on my custom domain? PS: all my calls are being requested inside the same root domain. |
|
Hi @leobarcellos ... this is a pretty specific issue with the WP plugin (more specifically, Lock) and is closed because the fix is merged into the The CORS errors you're seeing could be a number of different things, most commonly an incorrectly configured "Allowed Callback URLs" field, the one you mentioned. If that's definitely correct (the non-Auth0 domains you're using have been added), then the next most common is related to cross-origin authentication. It sounds like you're addressing that with a custom domain but it would be worth it to run through that doc again just in case. If you're still having the issue, we'll need reproduction steps so we can test it on our end. Include the code you're using on the page (exclude any sensitive info like your Client ID) and the steps you're taking to see the error. If this is in WordPress and you're testing with the |
|
Also make sure that request header is not set to 'Access-Control-Allow-Origin': '*' which was the reason to the error in my case. |
Hi guys
I've got the plugin installed and can authenticate when i start chrome with no security (google-chrome --disable-web-security --user-data-dir)
However, when I run the plugin as normal it errors out when i use either password or passwordless logins.
In the chrome console i see:
Failed to load https://<my-domain>.auth0.com/passwordless/verify: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://<my-domain>.com' is therefore not allowed access.Should I be editing my apache config to fix this? or does wordpress prefer I do something else?
The text was updated successfully, but these errors were encountered: