No 'Access-Control-Allow-Origin' header is present on the requested resource

Serverless Framework
1

I am trying to get protected APIs working and have followed the instructions [here] (https://github.com/serverless/examples/tree/master/aws-node-auth0-custom-authorizers-api) but I receive a 401 error:

Failed to load https://xxxx.execute-api.us-east-1.amazonaws.com/dev/api/private No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘hosted-website-name’ is therefore not allowed access. The response had HTTP status code 401. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

I did not change anything that was not told to change from the instructions. I have added the website URL to the Allowed Callback URLs, Allowed Web Origins, and Allowed Origins (CORS).

Any ideas on how to fix this issue? Thanks!

2

For cors to work for auth failures you need to set this in your resources https://github.com/serverless/forms-service/blob/master/backend/serverless.yml#L96-L105

Super odd, but a quirk of how custom authorizers work in AWS.

3

Thanks for the response but unfortunately that did not change the output.

Interestingly, the ‘live demo’ they have in their readme is giving me the same error. I created the demo account using a email and password that I verified:

error
error1919×1080 107 KB

4

Looks like my once working code is broken =(((

Change the ResponseType to UNAUTHORIZED

    AuthFailureGatewayResponse:
      Type: 'AWS::ApiGateway::GatewayResponse'
      Properties:
        ResponseParameters:
          gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
          gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
        ResponseType: UNAUTHORIZED
        RestApiId:
          Ref: 'ApiGatewayRestApi'
        StatusCode: '401'

I managed to get this working.

The JWT validation is failing in the authorizer right now… I’m unclear as to why

5

See the PR here https://github.com/serverless/examples/pull/219/files

That fixes the CORS issue.

However, the JWT I get back from auth0 is no longer validating.

You can sls logs -f auth -t to tail the auth logs to see the jwt verification failing.

I’ve had many issues with auth0 as of late and it’s starting to get on my nerves

6

Fixed it!

JWT secret needed to be base 64 decoded to validate the jwt.

Demo is working again http://auth0-serverless-protected-routes-demo.surge.sh/

:tada: