I had this issue, was very distracted by it, but ultimately resolved it by reading and understanding this:
My assumption is that, like me, those of you having this issue (a) see it exclusively in your local dev environment, and (b) your local server is not using HTTPS (in which case, no problem) —OR you are seeing the message in production because your server isn’t using HTTPS. (In which case, say thanks for the warning and fix that!)
This isn’t a bug; things are working as designed.
Chrome is providing a deprecation warning because what we are doing by running a server with HTTP is actually violating the secure cookie policy set by Auth0.
If you are not using HTTPS in production, the warning is doing you a favor. Enable HTTPS!
In my case, I was seeing these warnings in local dev environment and was distracted and concerned by them.
I imagine if I made a cert and used HTTPS for local development, the warning would go away because I would be complying with the policy. The warning isn’t about something Auth0 is doing, but that I am personally violating the cookie policy Auth0 set. (How dare I!)
The non-HTTPS local dev environment works right now, but presumably at some point it won’t work any longer or perhaps there will be some sort of localhost exemption in Chrome’s implementation of this policy or perhaps Auth0 will implement a ‘dev mode’ toggle in their interface that sets the cookie policy to lax.
I am going to trust that this will be fully resolved by the time the policy goes into effect.
So—what did I do to solve this for myself?
For my own diligence, I verified the problem does not exist in production where I am running HTTPS. (It doesn’t.)
Then I went into chrome://flags and disabled Cookie Deprecation messages.
Non-problem “problem” solved
Hope that helps!
—
P.S. My recommendation to Auth0 would be:
Create an addition to docs regarding the SameSite warning being caused by local HTTP rather than HTTPS and in that doc:
- Provide some assurance that this is almost certainly not something people will see in production
- Educate Auth0 users about what will be expected from local environments when the policy goes into effect.
- Advise that if they find the messages distracting, the best course of action is to disable the deprecation warning.