Is there a recommended way of solving this issue? I’ve read the discussion on Failed Silent Auth - Login required - #39 by auth0z, but there does not seem to be any resolve.
If anybody have any tips other than running in incognito mode or tweaking the Safari settings, I would be extremely grateful.
Unfortunately, as of now, only the two things are recommended:
Enable a Custom Domain on your tenant and host your web application in a domain that has the same top-level domain as your Auth0 custom domain. For example, you host an application at https://northwind.com and set your Auth0 custom domain as https://login.northwind.com . This way the cookies are no longer third-party (because both your Auth0 tenant and your application are using the same top-level domain), and thus, are not blocked by browsers.
Provide a cross-origin verification page that will make cross-origin authentication work in a limited number of browsers even with third-party cookies disabled (see the browser testing information below).
In addition to Karen’s suggestions, you can use refresh token rotation for silent authentication now (this was recently released). Some more info can be found here and here.
Thank you both for your advise. @thameera, you say “In addition to Karen’s suggestion…”, but the first link you gave states that refresh tokens are an alternative to custom domains. Do I need to implement both a custom domain AND a refresh token, or will a refresh token suffice to work around the ITP problem?
Hey @OysteinAmundsen, refresh tokens will work even if you don’t have a custom domain. Reading my previous answer now, I see it can be confusing - I meant that this is another suggestion. 
It would still be ideal to have custom domains set up to make the experience more seamless, especially if you have more than one app (but I understand this means going for a paid account and might not always be an option).
Ok, I have an angular app with a dotnet core backend. I have followed the universal login trail in your docs for setting up auth0 in my app. What exactly must I do to enable refresh tokens?
I have added useRefreshTokens: true to my createAuth0Client call but it doesn’t seem to do much. I’ve also checked the grants in auth0 administration panels, and it allows the use of refresh tokens. I still have the same eternal login-loop on safari.
I’m not entirely sure it’s related, but chrome and other browsers also report that some cookies are stored using SameSite=None without secure.
I’m using auth0-spa-js version 1.8.1
Can you make sure you have enabled rotating RTs in the application (in Auth0 dashboard) as well? Another thing you may want to try is setting the cacheLocation to localstorage. eg:
auth0 = await createAuth0Client({
domain: DOMAIN,
client_id: CLIENT_ID,
redirect_uri: URL,
scope: 'openid email profile',
audience: AUDIENCE,
useRefreshTokens: true,
cacheLocation: 'localstorage'
})
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.