What I don’t understand is that when I tell Chrome to block 3rd party cookies, I am still able to use my app, which uses the cookie instead of refresh tokens.
Shouldn’t things completely break if I’m using an auth0 domain instead of a custom domain?
The behavior your describing sounds about right to me - I would expect the app to behave more or less normally until any sort of silent auth or re-auth occurs. At this point I would expect things to break down given the blocking of third party cookies.
Ahhhhh… that makes total sense now. Thanks @tyf ! That explains some other strange behavior that we started seeing and sure enough, I see a bunch of Failed Silent Auth messages in the log.
This problem only appears to be on our dev site. If our dev site is XXX.arrivalos.com, I would be required to do a custom domain like auth.arrivalos.com, so it wasn’t considered third party, correct?
I see under the Essentials plan is says “1 Production Tenant” is available. Is it possible to share a subscription between our Production and Development tenants?
Our Production tenant uses a completely different domain, so I can’t even share that because it would be considered 3rd-party since the domains don’t match, correct?
Any tenant that does not have the ability to utilize a custom domain can get around third-party cookie issues by using refresh tokens / refresh token rotation . This is preferred to traditional silent auth which does rely on an auth0 cookie (third-party without a custom domain).
What makes refresh tokens / refresh token rotation preferred? Is it worth it to re-engineer our existing authentication for any particular reason? We have a custom domain, so things are working with the cookie.
While using a custom domain the cookies that are set by silent auth (achieved inside an iframe) are technically first party so you should be fine - The benefit to refresh tokens is really the ability to not rely on cookies at all, thus future-proofing your application as browsers continue to restrict the use of cookies in general.
With the B2C Essentials plan, you have access to one production tenant and two dev/staging tenants. Each tenant gives you the ability to specify a different custom domain which will satisfy your needs for your dev site. You can learn more about setting up multiple environments here.
Thanks, @hot_potato . I assumed that I was going to have to pay the monthly fee for both tenants if I chose the subscription on both. The process is not clear.
My production tenant is on B2C - Essentials Users 1000 at $23/month.
I went to my development tenant and upgraded it to B2C Essentials, which created a Team without me asking. The two tenants are still separate.
I tried to add the Production tenant to the team using Link Existing Tenants, but it wants me to downgrade my plan:
Current Plan
Plan Name B2C - Essentials
Users 1000
New Plan
Plan Name B2C - Essentials
Users 500
How do I get these two tenants linked with the 1000 users?
All tenants will assume the subscription of the master tenant in the Auth0 Team account. Linking your production tenant to your Auth0 Team associated with your dev tenant and subsequently “upgrading” to the 500 user plan.
And you won’t have to pay for two subscriptions.
You can do one of two things:
Upgrade the tenant subscription which has Auth0 Teams enabled to 1000 users and link the production tenant.
or
Submit a support ticket on https://support.auth0.com/ to provision an Auth0 Teams account for your production tenant, then link the dev tenant to the new team.
Refer to this post on how to get Auth0 Teams enabled on your tenant. Tenants created before Nov 1, 2023 have to make a change in their subscription settings and it should take care of itself. I didn’t realize this at the time and I apologize!