Is it currently impossible (without custom domains) to get a token with Safari browser?

Using universal login with a SPA which needs to authenticate against an API; the login flow is as follows:

  1. User arrives at site.
  2. If user is not logged in they are redirected to the Universal Hosted Login page
  3. On successful login user is redirected back to site
  4. We call getTokenSilently (this fails due to third-party cookie being blocked)
  5. We call getTokenWithPopup (this fails as popups are blocked in safari by default with desktop and mobile)

Reason cookies are blocked:

Is there a solution to mitigate this issue or as it stands is it currently impossible to authenticate against an API with Universal Login in Safari?

Hi @warrenjday,

Welcome to the Community!

Have you seen the refresh token rotation feature that we just released?

This should alleviate the need for silent auth via a third party cookie.

Let me know if that helps!

1 Like

Hi Dan,

Glad to be here :slight_smile:

Thanks for the reply. I have enabled token rotation in the dashboard but I can not find documentation on how the code from @auth0/auth0-spa-js should be changed to retrieve a token.

Currently with 1.7 and useRefreshTokens set to true, calling auth0Client.getTokenSilently still returns the error “login_required” in Safari. Could you provide an example of how the accessToken to be given to an API can be retrieved?

This may be because the tokens storage needs set to localStorage.

Make sure you are aware of the potential risks here.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.