After having logged in to a SPA, users that are using the Firefox browser are occasionally seeing Http/1.1 Service Unavailable errors from Auth0 endpoints. This does not occur with users using Chrome or Edge browsers.
Firefox has a tracking protection feature that blocks third-party cookies, similar to Safari’s ITP. These features make the browser behave as if third-party cookies have been disabled in the browser, making it impossible to obtain a new token without displaying anything to the user through silent authentication. In the SPA SDK,
getTokenSilently performs silent authentication unless the SDK is configured to use rotating refresh tokens.
The workaround for this issue is to use Auth0’s custom domains functionality, and to have the custom domain live on a subdomain of the application’s website domain. For example, if an application is hosted on example.com, the custom domain would need to be of the format subdomain.example.com.
An alternate workaround is to use Refresh Token Rotation which provides a secure method for using refresh tokens in SPAs while providing end-users with seamless access to resources without the disruption in UX caused by browser privacy technology that blocks third-party cookies.