Lock: Custom Domain - You should not be hitting this endpoint

Created on 22 Mar 2018  路  15Comments  路  Source: auth0/lock

Hi,
we are using auth0 lock11(11.5.0). We had problem with Cross Origin Authentication so we register custom domain (login.besmarthead.com instead of smarthead.eu.auth0.com) -> cert is managed by auth0. We had followed this tutorial https://auth0.com/docs/custom-domains.
BUT now when i open page and user is already logged in (saving token in locale storage) i see this (alert window, chrome v65, ubuntu)

You should not be hitting this endpoint. Make sure to use the code snippets shown in the tutorial or contact [email protected] for help

I have update lock as tutorial suggest

var lock = new Auth0Lock('your-client-id', 'login.northwind.com', { ... configurationBaseUrl: 'https://cdn.auth0.com' ... });

Alert popup when (debugging in network console) when page tries to hit 'https://login.besmarthead.com/client/XDUWdmcRSrP7BdlwmVQXDnognHsgV28a.js?t1521754197839'.

There is no further error so i do not know where to start search for error. Any help would be appreciated. Thanks

Most helpful comment

This error should be improved upon.

Would it be too hard to just check if a custom domain is present, and if so then respond with an alert saying that configurationBaseUrl is required?

All 15 comments

can you share your full configuration? are you using the hosted login page or embedded lock?

This works for me:

const clientId = "BWDP9XS89CJq1w6Nzq7iFOHsTh6ChS2b";
const domain = "auth.brucke.club";
const defaultOptions = {
  configurationBaseUrl: 'https://cdn.auth0.com',
};
var lock = new Auth0Lock(clientId, domain, defaultOptions);
lock.show();

Hi,
thanks for reply. We are using embedded lock :

const lock = new Auth0Lock.default(
  environment.auth0_clientId,
  environment.auth0_domain, // new one, custom domain
  {
    configurationBaseUrl: 'https://cdn.eu.auth0.com',
    additionalSignUpFields: [
      firstNameField,
      lastNameField
    ],
    auth: {
      redirect: false,
      redirectUrl: location.origin + environment.auth0_redirectUrl,
      responseType: 'id_token token',
      params: {
        scope: 'openid email id_token profile'
      }
    },
    autoclose: true,
    initialScreen: screen,
    languageDictionary: { // https://github.com/auth0/lock/blob/master/src/i18n/en.js
      title: translation[0],
      loginLabel: translation[0],
      loginSubmitLabel: translation[0],
      passwordInputPlaceholder: translation[1],
      signupTitle: translation[2],
      signUpLabel: translation[2],
      signUpSubmitLabel: translation[2],
      forgotPasswordTitle: translation[3],
      forgotPasswordAction: translation[4],
      forgotPasswordInstructions: translation[5],
      forgotPasswordSubmitLabel: translation[6],
      databaseEnterpriseAlternativeLoginInstructions: translation[7],
      databaseAlternativeSignUpInstructions: translation[7],
      lastLoginInstructions: translation[8],
      notYourAccountAction: translation[9],
    },
    theme: {
      logo: location.origin + '/assets/images/logo/sh-small.png',
      primaryColor: '#BF1D1D'
    }
  }
);
lock.show();

Thanks, Martin

Hey, I was in a holiday last friday. Did you fix this issue?

Hi,
nope ... no luck so far.

But alert 'You should not be hitting this endpoint...' appear only when you are sign in.
1) when you open page for first time, everything is ok
2) you sign in with lock
3) refresh page, alert window popup (as result of call 'https://login.besmarthead.com/client/XDUWdmcRSrP7BdlwmVQXDnognHsgV28a.js?t1521754197839' -> i guess it is lock 'silent authentication' ?)

Martin

https://www.besmarthead.com/home-page is this the page that you're testing this?

Yes, but currently there is deployed version which is NOT using custom domain.
Do you want to try it (i can deploy there version with custom domaim) ?

Are you calling checkSession by yourself anywhere?

yes,
i have stored token inside local storage, when token is present i do:

const lock = new Auth0Lock.default(
  environment.auth0_clientId,
  environment.auth0_domain, {
    auth: {
      redirect: false,
      redirectUrl: location.origin + environment.auth0_redirectUrl,
      responseType: 'id_token token',
      params: {
        scope: 'openid email id_token profile'
      }
    },
  }
);
lock.checkSession({}, (error, authResult: any) => {
  if (authResult) {
    console.log('Silent authentication: received valid token');
    // ... app code, user is sign in
  }
});

Now i see that i am missing
configurationBaseUrl: 'https://cdn.eu.auth0.com'
could this be problem ?

it absolutely is 馃槤

Well, shame on me !
This evening i will try it -> i will give you feedback

Thanks so much !

Ok thanks! If it doesn't work, please reopen the issue 馃帀

Everything works ! thanks

Just for future troubles with this.

Use https://cdn.auth0.com instead of https://cdn.eu.auth0.com

This error should be improved upon.

Would it be too hard to just check if a custom domain is present, and if so then respond with an alert saying that configurationBaseUrl is required?

Was this page helpful?
0 / 5 - 0 ratings