Missing CORS headers for cached /.well-known/jwks.json

Missing CORS headers for cached /.well-known/jwks.json

Current Status: Resolved | Last updated at February 2nd 2021, 21:24 UTC

Affected environments: US-1 Preview, EU Preview, AU Preview, US-3 Preview, JP-1 Preview

A root-cause analysis for this issue has been performed and is now available at https://cdn.auth0.com/blog/20210120-Incident-RCA.pdf

History for this incident

January 20, 202118:11 UTC


This incident has been resolved.

January 20, 202114:47 UTC


The fix has finished being deployed and we are monitoring the results

January 20, 202113:48 UTC


The fix is in the process of being deployed

January 20, 202112:57 UTC


We have determined the cause of the issue and now have a possible fix; we are working on reviewing it and preparing its deployment.

January 20, 202112:19 UTC


We have identified an issue where requests to the /.well-known/jwks.json endpoint performed in the scope of a CORS request may receive a response without the necessary CORS response headers. This prevents the user-agent from allowing access to the response body. We are currently working on a fix.