Safari login impossible without paid plan?

Can someone confirm my findings that custom domain (ie. paid plan) is required for Auth0 SPA SDK to work on browsers that block 3rd-party cookies (ie. Safari)?

  1. Login using Universal Login works
  2. User is redirected to my site
  3. User reloads page
  4. Safari does not send cookie to 3rd-party domain
  5. Silent login fails
  6. User must login again

The only solutions I see are:
a) enable custom domain (used by the OP of my first reference below)
b) store token in localStorage which is seems Auth0 itself discourages
c) tell every potential customer of mine to disable tracking prevention

Are there any other other solutions?



Refresh token rotation (which was recently released) is another solution. Check the discussion here: Call to authorize fails on Safari

The newer versions of SPA SDK lets you use localstorage as an option to store these refresh tokens. See the note here:


Thanks for sharing that knowledge @thameera!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.