Using universal login with a SPA which needs to authenticate against an API; the login flow is as follows:
User arrives at site.
If user is not logged in they are redirected to the Universal Hosted Login page
On successful login user is redirected back to site
We call getTokenSilently (this fails due to third-party cookie being blocked)
We call getTokenWithPopup (this fails as popups are blocked in safari by default with desktop and mobile)
Reason cookies are blocked:
The issue you’re seeing (as pointed out in the thread you mention) is that third-party cookies are being blocked in Safari (thanks to its ITP technology), and you will find the same thing in other browsers that also block third-party cookies (such as Brave, with its shields up). While not a tracking cookie, Auth0 still relies on the ability to transmit this cookie in order to perform silent reauthentication.
This is mostly with us to find another way to allow silent reauthentication without us…
Is there a solution to mitigate this issue or as it stands is it currently impossible to authenticate against an API with Universal Login in Safari?
1 Like
Hi @warrenjday ,
Welcome to the Community!
Have you seen the refresh token rotation feature that we just released?
Support for Refresh Token Rotation!
Auth0 is proud to announce that as of today, Refresh Token Rotation with Reuse Detection is available for all public cloud customers.
Refresh Token Rotation provides a secure method for using refresh tokens in SPAs while providing end-users with seamless access to resources without the disruption in UX caused by browser privacy technology like ITP.
With Refresh Token Rotation enabled, every time a client exchanges an RT to get a new AT, a new RT is also ret…
This should alleviate the need for silent auth via a third party cookie.
Let me know if that helps!
Dan
1 Like
Hi Dan,
Glad to be here
Thanks for the reply. I have enabled token rotation in the dashboard but I can not find documentation on how the code from @auth0 /auth0-spa-js should be changed to retrieve a token.
Currently with 1.7 and useRefreshTokens set to true, calling auth0Client.getTokenSilently
still returns the error “login_required” in Safari. Could you provide an example of how the accessToken to be given to an API can be retrieved?
1 Like
This may be because the tokens storage needs set to localStorage.
Make sure you are aware of the potential risks here.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.