Proper way to handle browsers that block third party cookies (like Safari)

According to previous forum posts and the docs, the right way to deal with browsers that block third party cookies, like Safari, is to use refresh tokens and set cacheLocation to ‘localstorage’. After doing this, I noticed that simply setting cacheLocation to ‘localstorage’ also resolves the issue.

So my question is, why is the recommendation always to use refresh tokens (which by themselves don’t resolve the issue) and not just to use local storage as the cache location?

Would it be better to use local storage to store the token AND using refresh tokens or to just use cache location local storage and not refresh tokens?

Thanks

HI @napter

The question is what happens when an access token expires. If you don’t use refresh tokens, then you are relying on sessions – and cookies. So you do need refresh tokens.

John

1 Like

I’ve been struggling with this issue for a couple of weeks (getting auth0 to work with block third party cookies turned on) until I finally stumbled on this post. I have multiple angular apps, some using 1.10.1 of the auth0 component, some using 2.2.1. The old ones work fine with useRefreshTokens (but not cacheLocation of ‘localstorage’). I have been trying how to figure out how to make the new version work without enabling third party cookies in the browser. If I set cacheLocation to ‘localstorage’ it solves the issue but if I also set useRefreshTokens the issue comes back again. I’m really confused. So I can get it to work but I’m wondering if I’m doing something wrong. I cannot find any good documentation about third party cookies and auth0.

1 Like