Call to authorize fails on Safari

Is there a recommended way of solving this issue? I’ve read the discussion on Failed Silent Auth - Login required, but there does not seem to be any resolve.

If anybody have any tips other than running in incognito mode or tweaking the Safari settings, I would be extremely grateful.

Good morning,

Have you tried setting up a custom domain: https://auth0.com/docs/custom-domains

1 Like

No, I’m still using the free plan. Is this the only solution?

Unfortunately, as of now, only the two things are recommended:

  • Enable a Custom Domain on your tenant and host your web application in a domain that has the same top-level domain as your Auth0 custom domain. For example, you host an application at https://northwind.com and set your Auth0 custom domain as https://login.northwind.com . This way the cookies are no longer third-party (because both your Auth0 tenant and your application are using the same top-level domain), and thus, are not blocked by browsers.

  • Provide a cross-origin verification page that will make cross-origin authentication work in a limited number of browsers even with third-party cookies disabled (see the browser testing information below).

1 Like

In addition to Karen’s suggestions, you can use refresh token rotation for silent authentication now (this was recently released). Some more info can be found here and here.

1 Like

Thank you both for your advise. @thameera, you say “In addition to Karen’s suggestion…”, but the first link you gave states that refresh tokens are an alternative to custom domains. Do I need to implement both a custom domain AND a refresh token, or will a refresh token suffice to work around the ITP problem?

Hey @OysteinAmundsen, refresh tokens will work even if you don’t have a custom domain. Reading my previous answer now, I see it can be confusing - I meant that this is another suggestion. :slight_smile:

It would still be ideal to have custom domains set up to make the experience more seamless, especially if you have more than one app (but I understand this means going for a paid account and might not always be an option).

1 Like

Ok, I have an angular app with a dotnet core backend. I have followed the universal login trail in your docs for setting up auth0 in my app. What exactly must I do to enable refresh tokens?

I have added useRefreshTokens: true to my createAuth0Client call but it doesn’t seem to do much. I’ve also checked the grants in auth0 administration panels, and it allows the use of refresh tokens. I still have the same eternal login-loop on safari.

I’m not entirely sure it’s related, but chrome and other browsers also report that some cookies are stored using SameSite=None without secure.

I’m using auth0-spa-js version 1.8.1