I’m using auth0-spa.js@1.6.3, and everytime I reload the browser, during development, the createAuth0Client() does a “/token” API call to auth0, which takes more than 500ms, and is terrible to development flow, and for users.
I don’t understand why auth0-spa isn’t using some stored cookie token, and insists on regenerating the token on every browser reload.
The only hints I have are:
the browser complaining:
A cookie associated with a cross-site resource at https://dev-afxqu5ps.auth0.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at …
home:1
A cookie associated with a cross-site resource at http://auth0.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at …
Tokens are not stored in the browser deliberately. This is a decision made for the sake of your application’s security. A new token is issued on page refresh for SPAs using silent auth, essentially just a cookie session.
The flow is intended for SPAs that are not being refreshed on every new page route. There are a few ways to work around this issue, by either changing your SPA to make it conform to this expectation or by handling token storage and auth via a backend like a regular web app.
Thank you @dan.woda for your quick response.
Is there a way during development only to enable the unsafe storage and thus eliminate the unnecessary silent auth?
For a web developer, having to wait 500ms every time they Save their code, 2000 times a day, it accumulates fast to reduced productivity, and poor code-to-browser responsiveness .
If there isn’t, may I suggest this is a feature?
Web developers I’m sure will appreciate it tons
You are running into this when developing your auth0 implementation or after the fact, when you’re expecting the token to be there and developing other aspects of your app?
I’m refering to development time.
I have my code on the left, the browser on the right.
What web developers do all day is edit code, Cmd+S to save, then see the change reflect on the browser to the right automatically (Live Reload).
While before auth0, this was instantenous, now there’s a 500-700ms lag every time, and its a terrible developer experience.
What aspect of development. If you are changing parts of your auth framework you are likely going to want a new token with up to date claims. If you are cmd+Sing through some CSS changes you could just hard code a placeholder token.
To clarify, I was saying you can just add data as a variable that your UI is expecting. It’s not a built in method or anything like that.
I have never heard this complaint before so I decided to test it, and find the difference almost negligible. The call to /authorize and the /token endpoint are ~150ms total for me. Is it possible something else is causing this delay?