-
Which SDK this is regarding:
auth0-spa-js
-
SDK Version:
1.12.0
- Platform Version: e.g. Node 14.3.2
I’ve read a lot of posts here about issues with silent auth and Safari, particularly regarding the default option to prevent cross-site tracking in newer versions. I’ve read through the docs around rotating refresh tokens and custom domains so, at a high level, I understand the limitations and how to work around them.
My question here is about a very specific quirk that I can’t explain that is seemingly caused by the cross-site tracking prevention. In my app, I’ve got a block of code in middleware that will try and log users in as soon as possible with the getTokenSilently()
method. Here’s a relevant snippet:
if (!checkedAuthentication) {
checkedAuthentication = true
auth0.getTokenSilently()
.then(authToken => {
if (authToken) {
// This doesn't get called!
dispatch(auth0SetAuthenticated(true))
}
})
.catch((e) => {
if (e?.error === 'login_required') {
return
}
throw e
})
}
After a user logs in with universal login, they get redirected back to my main app page and this block will get called pretty much immediately afterwards as middleware. However, it always falls into the catch
with a login_required
error.
The weirdest part about this is that I can use the getTokenSilently()
call totally fine elsewhere in the app. The only real difference I can see is that they won’t get called as immediately after logging in.
I’ve tried replicating this on Chrome and Firefox with no luck. If I turn off the “Prevent cross-site tracking” option in Safari, it works fine.
It definitely looks like it has to do with cookies for all those reasons, but I can’t quite connect that to what I’m seeing. Could anyone here give me some insight into why the location of this function call seems to matter so much here? Thanks in advance!