Category Archives: auth0

Auth0: Credentials flag is ‘true’, but the ‘Access-Control-Allow-Credentials’ header is ”

I have a possibly unusual server setup on Amazon using ec2 instances:

  • primary server: apache server with elastic IP & domain name (apps.mysite.com), SSL protection, authentication with auth0, reverse proxies to secondary server at path apps.mysite.com/secondary
  • secondary server: different physical server, runs a shiny server web app, no ssl or authentication, only allows connections from primary server

My idea here is to have a primary "gateway" server that is easily addressable and secure, with any number of secondary servers which may be turned on/off on schedules for cost efficiency.

It all seemed to work fine with some test applications, and my real application works fine initially.

The problem occurs when a user runs a long process (>10 minutes) on the secondary server which when finished displays a couple javascript DataTables. Instead of properly displaying, the outline of the tables appears (no content), the connection dies, and in the console I get an error like

https://mysite.auth0.com/authorize?response_type=code&scope=ope…mysite.com%2Fredirect_uri&nonce=.... Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''. It must be 'true' to allow credentials. Origin 'https://apps.mysite.com' is therefore not allowed access.

From this SO question I tried adding both https://apps.mysite.com and https://apps.mysite.com/* to the relevant Auth0 application's allowed origins, but that didn't help.

Can someone explain to me what is happening, and how I can fix it?