Auth0 `getTokenSilently` failing when using Safari PWA "Standalone" mode

ddecarme · August 14, 2020, 6:29pm

I’m running into a significant issue when trying to verify the token that is stored in the “in-memory” web worker when running my app in Safari standalone mode on iOS 13.

Here’s the status of my situation right now. Safari is working on the mobile browser version. I make a request to my API and before that request goes out, the getTokenSilently method is run, the Auth0 SPA SDK recognizes that I’m using refresh tokens and makes a call to the oauth/token endpoint to exchange tokens. I get my new token back, stuff it in the header of my request and then I get my data back. Everything is working fine from that perspective.

However, when I run that same part of the app in standalone mode on the iPhone, I get a “Login Required” error back. I did some debugging and traced through the code in standalone mode and this is the result of my findings. The Auth0 SDK is:

Recognizing that I’m using refresh tokens
Redirecting me to the _getTokenUsingRefreshToken method
Attempting to locate the tokens that are stored in the web worker
Not recognizing that my tokens are stored and then reverting to using the _getTokenFromIFrame

I’ve read I think all of the documentation there is including forums on Auth0 and Safari ITP and haven’t really come to a good consensus of what I should be doing. My Auth0 client config is below

authClient = new Auth0Client({
    domain: getConfigVar("PWA_AUTH_0_DOMAIN"),
    client_id: getConfigVar("PWA_AUTH_0_CLIENT_ID"),
    audience: getConfigVar("PWA_AUTH_0_AUDIENCE"),
    redirectUri: getRedirectUrl(),
    scope: "offline_access",
    cacheLocation: "memory",
    useRefreshTokens: true
  });

When running the getTokenSliently method I pass in token as an extra scope

getTokenSilently({ scope: "token" })

I’ve tried a few things:

Using localstorage instead of memory for storing the tokens
Added an offline_access scope to the Auth0 client initialization to get a refresh token back right away

It’s also interesting to note that as it stands right now, I’ve tested the application out with all major browsers on desktop and mobile phones and also with the standalone mode for android devices and everything is working as expected. The only trouble I’m running into is in Standalone mode for Safari iOS.

Any advice on how to fix this would be greatly appreciated!

Thanks!

ddecarme · August 19, 2020, 12:19pm

Good morning, has anybody at the Auth0 team had an opportunity to review the above issue?

thomas.osborn · September 1, 2020, 9:29pm

Hi @ddecarme,

I just replied to your support ticket, but I also wanted to reply here in case anyone else comes across this issue.

We do have documentation here relevant to this issue: https://auth0.com/docs/authorization/renew-tokens-when-using-safari

In particular, using a custom domain and rotating refresh tokens are two options which might help here.

konrad.sopala · September 2, 2020, 11:36am

Thanks Tomas for sharing it!

adminedu · October 28, 2022, 2:12am

Is there a documented solution to this problem? I am having the same issue for my Safari users.