Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

linkUser causes CORS error in Chrome because of Auth0-Client header #363

Closed
vegardlarsen opened this issue Feb 19, 2017 · 4 comments
Closed

linkUser causes CORS error in Chrome because of Auth0-Client header #363

vegardlarsen opened this issue Feb 19, 2017 · 4 comments
Labels
duplicate This is a duplicate of another issue or PR

Comments

@vegardlarsen
Copy link

vegardlarsen commented Feb 19, 2017
edited

I was trying to link two users into one, and I was getting a CORS error in Chrome:

XMLHttpRequest cannot load https://[redacted].eu.auth0.com/api/v2/users/auth0%7C[redacted]/identities. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8100' is therefore not allowed access.

I copied the preflight response as a cURL command:

curl 'https://[redacted].eu.auth0.com/api/v2/users/auth0%7C[redacted]/identities' -X OPTIONS -H 'Pragma: no-cache' -H 'Access-Control-Request-Method: POST' -H 'Origin: http://localhost:8100' -H 'Accept-Encoding: gzip, deflate, sdch, br' -H 'Accept-Language: nb-NO,nb;q=0.8,no;q=0.6,nn;q=0.4,en-US;q=0.2,en;q=0.2' -H 'User-Agent: Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Mobile Safari/537.36' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Referer: http://localhost:8100/' -H 'Connection: keep-alive' -H 'Access-Control-Request-Headers: authorization, content-type' --compressed

I tried this out in Postman, and got this response: {"message":"CORS error: Some headers are not allowed"}

On a hunch I removed the auth0-client part from Access-Control-Request-Headers: auth0-client, authorization, content-type, and the server stopped giving that error message.

Searching this repository, I found that this header is set in src/helpers/request-builder.js:87. Commenting out that line let the link request go through just fine. So to make this work for my case I had to disable telemetry where I created my management object:

const auth0Management = new auth0.Management({ 
    domain: domain, 
    token: idToken, 
    _sendTelemetry: false  // added this line
});

I think this is either a bug in Auth0.js or on your backend for not allowing that header. Your unit tests do not catch this because all of them appear to run with telemetry off.
@tgoldenberg
Copy link

I had this same problem. I was also wondering where to get the this.tokenSubject.value from? I was using the idToken part of the response but that must be wrong... @vegardlarsen

@vegardlarsen
Copy link
Author

vegardlarsen commented Feb 21, 2017
edited

No, use the idToken there. this.tokenSubject.value is just an artifact of how I have structured my code. @tgoldenberg

Update: I changed my code sample above so no-one else is confused. :)

@hzalaz hzalaz added the duplicate This is a duplicate of another issue or PR label Mar 1, 2017
@hzalaz
Copy link
Member

hzalaz commented Mar 1, 2017

We have submitted the issue to the api backend team and the fix should be merged by EOW. Will close this one in favor #328 and notify there. (also there are some workaround mentioned there till its merged)

@hzalaz hzalaz closed this as completed Mar 1, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate This is a duplicate of another issue or PR
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vegardlarsen @hzalaz @tgoldenberg and others