Hi @beana77,
Since it’s working in Chrome, but not Brave, I think you are correct about ITP. Blocked third-party cookies become an issue when silent authentication takes place across different domains. Using rotating refresh tokens will prevent the need for silent authentication in some cases, but silent auth will still be used as a fallback when the tokens are not found in memory (for example, after a page refresh) or if a new scope or audience is specified in a getTokenSilently request.
To prevent failed silent auth when third-party cookies are blocked, you can either 1) set up your Auth0 tenant to use a custom domain, or 2) you can alter your code so that silent auth is not required.
-
Here is information about setting up a custom domain: Custom Domains. This option is available for any paid subscription.
-
To prevent silent auth requests, you can cache tokens in local storage. There are security considerations which you can read about here: Token Storage. You will also need to make sure that the
Auth0Providercomponent is initialized with the sameaudienceandscopeas anygetTokenSilentlycalls:
ReactDOM.render(
<Auth0Provider
domain={config.domain}
clientId={config.clientId}
audience={config.audience}
scope={config.scope}
redirectUri={window.location.origin}
onRedirectCallback={onRedirectCallback}
useRefreshTokens={true}
cacheLocation="localstorage"
>
<App />
</Auth0Provider>,
document.getElementById("root")
);