Some feedback folks. There are two libraries auth0-spa-js, and auth0-js. This answer seems to answer an auth0-spa-js question with a reference to an implementation with the auth0-js library. This all is quite confusing especially if you don’t realize there are two libraries yet.
For others that come across this question, this might help a lot to know the difference between the two: Migrate from Auth0.js to the Auth0 Single Page App SDK
That page does seem to indicate that in the auth0-spa-js library, the auth0.getTokenSilently() function is the one that you should use. Tbh, I did not have much luck with it so I’m going to move to the other library. Although the cookies says ‘isAuthenticated’ since I already logged in, then refresh the page. The getTokenSilently results in the below error:
Edit: I followed the advice here: How does auth0-spa-js store tokens - #6 by npatel
set the audience when calling
getTokenSilently({audience: <from Dashboard - API - Detail>}), and also setAllow Skipping User Consenttoenabled
and then modifyetc/host(https://auth0.com/docs/api-auth/user-consent ) and run the application in HTTPS
Essentially making sure you don’t run from localhost and run on HTTPS. It still does not work on refresh with ‘getTokenSilently’ here so there is still something I’m doing wrong though.
Edit2: I assumed it no longer works due to the new ITP rules in browsers:
" However, the browser must have third-party cookies enabled. Otherwise, checkSession() is unable to access the current user’s session (making it impossible to obtain a new token without displaying anything to the user)."
My browser for local dev is actually set to allow third party cookies. However, I do see these two warnings:
which are probably the issue, also discussed here (Chrome: Warning message - SameSite cookie - #22 by bookzo)
Edit3: same result for the auth0-js library.