Confusion around silent authentication failures on Safari with cross-site tracking disabled

  • Which SDK this is regarding: auth0-spa-js
  • SDK Version: 1.12.0
  • Platform Version: e.g. Node 14.3.2

I’ve read a lot of posts here about issues with silent auth and Safari, particularly regarding the default option to prevent cross-site tracking in newer versions. I’ve read through the docs around rotating refresh tokens and custom domains so, at a high level, I understand the limitations and how to work around them.

My question here is about a very specific quirk that I can’t explain that is seemingly caused by the cross-site tracking prevention. In my app, I’ve got a block of code in middleware that will try and log users in as soon as possible with the getTokenSilently() method. Here’s a relevant snippet:

if (!checkedAuthentication) {
  checkedAuthentication = true
  auth0.getTokenSilently()
    .then(authToken => {
      if (authToken) {
        // This doesn't get called!
        dispatch(auth0SetAuthenticated(true))
      }
    })
    .catch((e) => {
      if (e?.error === 'login_required') {
        return
      }
      throw e
    })
}

After a user logs in with universal login, they get redirected back to my main app page and this block will get called pretty much immediately afterwards as middleware. However, it always falls into the catch with a login_required error.

The weirdest part about this is that I can use the getTokenSilently() call totally fine elsewhere in the app. The only real difference I can see is that they won’t get called as immediately after logging in.

I’ve tried replicating this on Chrome and Firefox with no luck. If I turn off the “Prevent cross-site tracking” option in Safari, it works fine.

It definitely looks like it has to do with cookies for all those reasons, but I can’t quite connect that to what I’m seeing. Could anyone here give me some insight into why the location of this function call seems to matter so much here? Thanks in advance!

Hi there @lpatino and welcome to the Auth0 Community!

I apologize for the delay on this topic but I wanted to sync back up with you. When you get a chance can you capture in a HAR file the current described workflow and direct message it over? I would love to review this with my team. Thanks!