I’m having difficulty when using Auth0 on a Single Page Application using Vue.js.
I’m using Vue 3.3.4 and auth0-spa-js 2.0.8 without an auth0 custom domain.
The flow works like this:
The user visits the app (example.com) and if they are not authenticated they are forwarded to the login page which is hosted on example.eu.auth0.com, using loginWithRedirect.
The user is redirected back to the app after login and the access cookie is stored in local storage
When making API requests to my backend, I call client.getTokenSilently() which should handle the refresh process and it throws “Error: Login required”
The issue goes away when I allow third party cookies in my browser.
Is it possible to use Auth0 with refresh tokens, when not using a custom domain, on a Vue.js app? If so, what docs/process would I follow to allow this?
Yes I was able to set that and no unfortunately it didn’t solve the issue.
I also followed the entire official Auth0 Vue.js tutorial and the same issue occurred.
I’ve come to the conclusion that the only way to support handling of background refresh tokens on an SPA without relying on third party cookies is to use a custom domain.
It makes sense, because from a security perspective I understand it’s better to set the refresh token as a server side cookie only accessible on the domain.
That being said, I’ve not seen any official confirmation if this is the case. It would be great if you would be able to confirm that?
Hi, I’m still checking it, but in the meantime, can you please go to your Auth0 tenant → APIs → the API for which you request access tokens and enable “Allow Offline Access”:
Why? Refresh Token Rotation is intended to be a workaround for restrictions that results in preventing access to third-party cookies. But to use the method, we need to allow the “Allow Offline Access” in Auth0 tenant for the API in question.
Can you please do this adjustment and let me know how? Thanks!
If we are testing the Auth0 Vue SDK with the Vue Composition API and the JSON server (no real API server), then no need to make adjustments in APIs section of Auth0 tenant;
I found the main branch of this repo and this tutorial more friendly in terms of time and details you need to manage to test the feature in question (you only have to create the .env file).
I followed it step by step, set up the request token rotation and expiration & inactivities times like you did.
This way, if I refresh the app while being on a protected route after a few minutes, I’m not being asked to reauthenticate (I do not have a similar error as you have).
If you still encounter issues with the guidance your refer to, there’s a button to report issue / provide feedback under each of the mian sections: