Best practices SPA cookies (with custom domain) vs refreshtokens

chris_b · December 3, 2024, 8:44am

Hi all,

we have a backend API with an angular SPA client. We recently added custom domains to our tenants, to have a more unified user experience. Until now I also thought that we should migrate from using refreshtokens with rotation to cookies (refreshtoken =false) since third party cookies should not be blocked now.

Is this correct? Is there a recommended approach? I just saw a few threads where people suggest that refreshtokens might be more futureproof since browsers are continueing to block cookies in general.

If using cookies with custom domains, how should we handle local testing - will this still work?

I would really appreciate some recommendations or best practices regarding this topic :).

Best
Chris

dawid.matuszczyk · December 30, 2024, 8:21pm

Hi @chris_b

Welcome back to the Auth0 Community!

Refresh Token rotation It’s our recommended way of gaining the access token, due to, as you said, the current approach of browser to block cookies in general. You can read more about that here →

Thanks
Dawid

system · January 13, 2025, 8:21pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Third Party Cookies Blocked with Universal Login & Refresh Tokens Help login-experience , new-universal-login-experience	0	341	May 26, 2024
Another post regarding Third-party cookie deprecation in Chrome Help missing-category , other	9	2020	February 26, 2024
3rd-party cookies phase out, localhost testing Help login-experience , new-universal-login-experience	4	1087	May 10, 2024
Trying the new Refresh Token Rotation in a React SPA. Are 3rd party cookies supposed to be required? Help react , refresh-token-rotate	12	10878	November 24, 2020
Proper way to handle browsers that block third party cookies (like Safari) Help	2	3883	November 29, 2023

Best practices SPA cookies (with custom domain) vs refreshtokens

Related topics