How to work around with Safari login required problem?

I’ve tried some methods that I found in this community, like set cacheLocation to memory and use refresh token, but still don’t work. I’m looking for a way to don’t get “login required” error when using silently token on Safari and other browsers that cookies are disabled.
I use react for client-side

Hey there @pedro3 ,

In case of refresh token rotation setup in your app and Auth0 dashboard, you may verify if it’s also not working in Chrome, and see if maybe it’s a matter of misconfiguration in your setup.

There is an article on workarounds when working with Safari - Troubleshoot Renew Tokens When Using Safari

Please let me know if there any questions!

Hey Marcelina,
Thanks for your answer, I’ve tried to use other configurations in my provider, but it still doesn’t works.

    useRefreshTokens={ true }
      redirect_uri: window.location.origin,
      audience: config.auth0.audience,
      grant: "refresh_token",
      scope: "openid profile email offline_access"
  ><Router /></Auth0Provider>

This works fine on chrome and opera (including incognito mode), but never works on safari unless i disable that tracking option. According my configurations, there’s something that I missing to set up?

Thanks for sharing your set up and results @pedro3 !

The refresh token rotation grant operates mainly on a window session storage object to store the rotating refresh token, not a session cookie. This makes me wonder if your current setup works with this grant or still with a default one coming with some SDKs - cookies-based silent authentication :thinking:

But I can’t also rule out that some component within the SDK still uses cookies. (I came upon this doc mentioning the legacySameSiteCookie option being enabled by default.)

My suggestion: following the doc, can you please add the option
legacySameSiteCookie={false} to your SDK configuration?

You can also share with me the specific Auth0’s doc (quick starts) and SDKs you have used to set your app with Auth0 so I would try to set a sample app locally running the refresh token rotation grant in Safari.

For the Silent Authentication to work with browsers that prohibit 3party cookies, the workaround is also to set Auth0 to use custom domain (a paid feature), so that your app domain and the Auth0 domain are the same → then Auth0 cookies wan’t be considered 3d party.

Good morning, thank you for getting back to me.
Actually, the Auth0 implementation was done by another developer with whom I no longer have contact. Besides those provider configurations, it might be useful to mention that I am using the following package: "@auth0/auth0-react": "^2.2.1". I also tried your suggestion about legacySameSiteCookie={false}, but didn’t work.
Regarding the custom domain, I also heard about this workaround, but I haven’t found any implementation on how to do this workaround with the custom domain. I only found instructions to go to the custom domains page, but I have no idea what to put in the value (even with the example, I didn’t understand). I entered a test value, and it remained in pending status indefinitely, for instance. Considering that my account is the paid version, could you help me with this?

Good afternoon @pedro3 , thank you for following up.

If I’m not mistaken, in order to set the custom domain feature in Auth0, you would have to provide an existing one that you own + do the verification in your domain management service by following the instructions. Troubleshoot Custom Domains
The domain verification in Auth0 may take up to 48 hours.

I will also update you soon this week with the refresh token rotation setup with @auth0/auth0-react in Safari.

Please le tme know if you have any follow up questions!

He there @pedro3 !

Could you please toggle the button “Allow Offline Access” in your Auth0 dashboard → APIs → API (the one your SPA requests access and refresh tokens for) under Settings tab?

Does this allow you to leverage the refresh token rotation with Safari?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.