0

I use Auth0 API. The whole application is on a single Tomcat server, HTTPS connector. If the WebFilter checking for authentication finds the auth tokens, it does not call LoginServlet but normally continues to the destination servlet.

There are two cases when /authorize on Auth0's server is called:

  1. A link to some servlet S in a static web page, intercepted by a WebFilter. WebFilter then calls (if no auth tokens found) LoginServlet which successfully authenticates using Auth0, never a problem here.

  2. JS' fetch() to a servlet X, intercepted by the same WebFilter as above. WebFilter then calls (again, if no auth tokens found) exactly the same LoginServlet which calls exactly the same /authorize URL. This time it always fails with "No 'Access-Control-Allow-Origin' header".

Yet, if WebFilter finds the auth tokens and forwards normally to the servlet X, this one in turn has no problems calling Auth0 /userinfo.

The "No 'Access-Control-Allow-Origin' header" message specifies Origin, which is correct, the same in both cases, just the app's domain, and exists in Auth0 Application settings Allowed Web Origins and Allowed origins (CORS).

What is the source of the problem? How to authenticate an user, if his first interaction with the application is via JS? For example, the app' page is open, the session times outs and then the user presses a key which causes JS make call a servlet which requires an authentication.

Do not known if it has anything to do, but I run Tomcat on my local machine, so it is also localhost for Chrome.

Also, just tested: exactly the same servlet called via URL in browser's address bar or via a clicked link logs in ok, but called via fetch() causes the CORS error in question.

scriptfoo
  • 476
  • 5
  • 17

1 Answers1

0

From your JS code try to 

var auth0Client = new auth0.WebAuth({
      clientID: 'YOUR_CLIENT_ID',
      domain: 'YOUR_DOMAIN'
    });
    auth0Client.crossOriginVerification();

And Also Add the URL of this callback page to the Cross-Origin Verification Fallback field in your Application's settings in the Dashboard, under the Advanced > OAuth panel.

This may fix your issue, if not provide a feedback

Madaky
  • 389
  • 1
  • 9
  • They are using Tomcat not Apache HTTPD. They also claim they already have the CORS configuration set up. – Quentin May 20 '20 at 21:49
  • you can also have more information https://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains https://www.w3.org/wiki/CORS_Enabled – Madaky May 20 '20 at 21:50
  • @Quentin: "JS' fetch() to a servlet X, intercepted by the same WebFilter as above. WebFilter then calls (again, if no auth tokens found) exactly the same LoginServlet which calls exactly the same /authorize URL. This time it always fails with "No 'Access-Control-Allow-Origin' header". – Madaky May 20 '20 at 21:57
  • I run tomcat on localhost, but access it via internet name thanks to /etc/hosts. No idea if it has something to do. Anyways, exactly the same servlet called via URL in browser's address bar or via a clicked link logs in ok, called via fetch() causes the CORS error in question. – scriptfoo May 20 '20 at 22:15
  • That said, the outside can access it by same name. – scriptfoo May 21 '20 at 00:10