Authorize without IFrame when on Custom domain


I am just wondering whether IFrame workaround is still necessary when using Custom domains. App is on and Auth0 is set to

Here you state:

When authentication requests are made from your application (via the Lock widget or a custom login form) to Auth0, the user’s credentials are sent to a domain which differs from the one that serves your application. Collecting user credentials in an application served from one origin and then sending them to another origin

And also this

Auth0 provides a cross-origin authentication flow which makes use of third-party cookies. The use of third-party cookies allows Lock and Auth0’s backend to perform the necessary checks to allow for secure authentication transactions across different origins.

So again - running on Custom domains where the root domain (in this example is same in both case - is still considered as third-party cookie?

Thanks for deeper explanation!

Hi @luke1988,

We are actually currently moving towards refresh token rotation, which does away with silent auth and the iframes. If you are concerned with this, it may be worth looking into making this switch, as it should provide a more robust way to persist sessions in the client.

I recognize I didn’t answer your iframe question, someone else may have a more in-depth response for that.

Hope this helps,

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.