Auth0 logs out on refresh (only on mobile)

Hi Auth0 Community, first post here. I’m pretty stuck on this, any help is appreciated.

I’m using Auth0-spa-sdk and it works perfectly for the most part, but on mobile when I refresh the page it logs me out.

I get the error that says “login required”, but no such error when on the desktop. On the desktop, I can refresh the page as much as I want with no issue.

I am not using the dev keys anymore for my social signups, and the issue occurs on email signup as well, so I don’t think dev keys are the issue either.

Thanks a bunch.

1 Like

Hi @jlbroughton88, welcome!

Are you testing on only one device? Is it iOS? Do you have a custom domain set up that matches your application domain? (see https://auth0.com/docs/api-auth/token-renewal-in-safari if the error appears in Safari)

Hi Nicolas. I appreciate the fast response!

I’m testing on multiple, safari does seem to be the issue. And it does still happen on desktop safari, which I wasn’t aware of at first.

I checked out the doc that you sent me. I think I’m reading it right, in order to fix this, I’ll need to purchase a subscription plan?..

1 Like

As of now, yes, working around this issue in Safari requires a custom domain and the Custom Domain feature is only available to paid subscriptions.

Okay thank you.

I say this in no disrespect to you or Auth0 because I really do love the service, but I hope this can be changed eventually or a workaround can be included into the free subscription because this is seems like a pretty big hurdle for people just trying to learn like myself. I dont plan on my apps bringing in any income at the moment, but auth is an imperative service to have nowadays.

Again, no disrespect. I think it would be great if your team could maybe come up with a super basic plan that covers stuff like this for maybe $5 a month or something…

Thanks again for the quick response.

Is this something thats being fixed? Or figured out at the moment?
Just curious what I should expect in the future for building apps.

Hi again. I want to separate two different topics here:

  • Custom domains is a product feature that’s only available on paid tiers (https://auth0.com/pricing/). That’s a pricing decision. As you might imagine, pricing is a very hard problem and, with most products, you try to come up with ways of combining features that satisfy different target audiences yet keep a certain simplicity, and that results in a few different SKUs or tiers and not an individual picking of features (that’s why if I want to buy a Honda Civic I get the option of 4-5 trim levels and not an individual selection of the things I care about like cruise control, AC, leather seats or whatever).
    I understand that even the Developer tier at $ 23 per month can be difficult to pay for small sites, but that’s where the free tier tries to help. You can leave feedback at https://auth0.com/docs/feedback about this.
  • Token renewal in SPAs fails in Safari. Single page applications, in their simplest implementations, don’t have a backing server that can keep sessions for a user, thus the application running in the browser is fully responsible for maintaining the user session.
    The “session”, among other things, require a working access token to make requests to the backend API. And the problem comes when the application needs to refresh the token (the token is expired and a new one is needed).
    Regular web apps work differently (they can keep a longer session with cookies and in many cases they don’t even need access tokens to be updated) and native (mobile) apps use refresh tokens to acquire new access tokens.
    But single page applications can’t use refresh tokens (*), so SDKs like auth0-spa-js use a clever trick: they rely on the session that Auth0 keeps for the user (through a cookie). To avoid reloading the page to request a new token, they create a hidden IFRAME and ask for a token to the Auth0 domain from that IFRAME.
    If the domain of the application does not match that of the Auth0 domain, this is then a cross-domain conversation, with cross-domain cookies. Safari’s ITP blocks that cookie, thus preventing the token renewal.
    Other browsers might implement similar features in the future (Google just announced its intention to block third party cookies altogether in the future), so this problem is likely to get worse.
    Using custom domains so that the application 2nd level domain matches that of your Auth0 domain helps, but it’s not a silver bullet (e.g. if you have two apps in different domains, this won’t help). This is affecting many identity providers, not just Auth0 (e.g. Azure AD), and vendor and protocols collaborators are working on different alternatives to solve this problem.
    Auth0 is working hard on this problem, and there might be good news in the future. But there are no promises or ETAs available at this moment.

For now, the solutions are:

  • Use custom domains
  • Use longer token duration (this of course needs to be weighted in against the increased security risks)
  • Provide a backend to your SPA on the same domain, so that the backend handles the session via a cookie and your SPA only talks to the backend API, without worrying about access tokens.
1 Like

Thanks so much again for all the helpful info. I’ve included a notice for safari users on my app while the problem exists. I’m sure this will help others that face my issue as well. I look forward to the fix but I understand that it is likely something that will take time.