Problem statement
Safari browser is throwing the error “invalid_request” when trying to log in to an application. There is an option within Safari settings called called “Prevent cross-site tracking”. If this setting is disabled, the problem is resolved and it becomes possible to log in.
However, this requires users to manually go into their Safari settings and manually change this option. Users lack the confidence and skills to do this, so this is not a scalable solution. Describe an alternative option to changing this setting.
Symptoms
When using the Safari browser, login fails and the error “invalid_request” is displayed.
Cause
Safari browser utilizes Intelligent Tracking Prevention. For more information, read the external documents Tracking Prevention in Webkit and Safari Privacy Overview
Solution
The Safari browser includes a mechanism called Intelligent Tracking Prevention. The purpose of this technology is to improve the privacy and security of the web browsing experience by preventing unwanted cross-site tracking. Unfortunately, this makes third-party cookies less useful in authentication scenarios.
- Enabling 3rd-party cookies/ Prevent Cross-Site tracking settings will resolve the reported issue
- By contrast, disabling the 3rd-party cookies/Preventing cross-site tracking settings will result in the login flow being blocked and an error returned
In situations where:
- third-party cookies/ Prevent Cross-Site tracking should not be enabled
- the browser does not support third-party cookies
- support for third-party cookies has been manually disabled in the browser’s setting
In these situations, authentication can be implemented through the use of a custom domain (only available with paid subscriptions). For further details, refer to Custom Domains. The use of a custom domain will make the cookie appear as being of first-party origin, thus eliminating the problem of relying on a third-party cookie.
In situations where it is required that applications must work across domains, use New Universal Login and the Refresh Token Rotation to authenticate users. Refresh Token Rotation provides a secure method for using refresh tokens in SPAs while providing end-users with seamless access to resources without the disruption in UX caused by browser privacy technology like ITP. For more details, refer to Refresh Token Rotation.
Refresh Token Rotation doesn’t use cookies to validate the user’s session in Auth0. To learn more about Refresh Token Rotation.