Disabling 3rd party cookies breaks MFA

alex555 · June 22, 2018, 10:27pm

When I disable 3rd party cookies (eg - turning on “Block third-party cookies” in Chrome), then the MFA screen for my app shows a red banner with “WE CANNOT CONNECT TO REAL TIME CHANNEL.”

This issue persists even after clearing my cookies as suggested in this topic, which isn’t surprising since the auth0 cross origin authentication article explicitly states “disabling third-party cookies will make cross-origin authentication fail”.

However that same articles suggests using a custom domain to fix the problem - which is what my app is currently using. I have an app that lives at mySubdomain.myCustomApp.com, and I’ve enabled a custom login domain at login.myCustomApp.com.

Does my custom domain need to point to login.mySubdomain.myCustomApp.com to be considered a first party cookie?

Thornton · October 5, 2018, 12:20am

Did you ever solve this? We have the same problem.

Block 3. Party cookies + custom domain = Mfa error
But:
Block 3. Party cookies + NO custom domain = no error

alex555 · October 5, 2018, 2:24pm

Yes, we finally did! While emailing with auth0 customer support, they suggested changing this line on the hosted login page:

{% if stateCheckingMechanism %}stateCheckingMechanism: "{{ stateCheckingMechanism }}", {% endif %}

to

stateCheckingMechanism: "polling",

which fixed the issue for us.

Thornton · October 5, 2018, 2:40pm

OK. Interesting.
I actually fixed ours by changing:
" mfaServerUrl: “{{ mfaServerUrl }}”,"
to
"mfaServerUrl: “https://login.ourdomain.com/guardian/” in the Multifactor hosted page.

But im pretty sure that is a hack?

system · July 26, 2019, 1:12pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.