Can someone confirm my findings that custom domain (ie. paid plan) is required for Auth0 SPA SDK to work on browsers that block 3rd-party cookies (ie. Safari)?
Login using Universal Login works
User is redirected to my site
User reloads page
Safari does not send cookie to 3rd-party domain
Silent login fails
User must login again
The only solutions I see are:localStorage which is seems Auth0 itself discourages
Are there any other other solutions?
Thanks!
References:
I confess I only know the high-level theory around server-side rendered Angular applications, but I’m assuming your situation is one where ultimately Javascript code running in a browser session at app.example.com would be performing XHR calls to api.example.com and would be using access tokens as proof that the caller is authorised to perform the associated actions.
In this situation, given that the access tokens would be issued by the Auth0 service then a tenant domain without a custom domain …
Extremely worried right now.
My application is having a problem with user silent aauthentication.
[failedauth]
After a user logs in/signs up, the silent authentication fails and they are sent to the signup page (using Auth0 Universal Login). After being sent to the login page, it sees that they are already logged in so they get redirected back to my website, in which silent auth fails again and sends them to the sign up page, and this loops on forever.
I’ve noticed this problem only occurs …
EDIT: It looks like my callback URL was not correct, but instead of actually receiving the “Oops something went wrong” page with that error detail, I just received a 403 and had to authenticate again. I’m not sure which of the three attempted suggestions worked (incognito with no extensions, disabling the two flags mentioned, or switching to a custom domain), but I will update if I can narrow that down at all.
EDIT 2: It looks like there may have been two issues, both only viewable in the sourc…
1 Like
Refresh token rotation (which was recently released) is another solution. Check the discussion here: Call to authorize fails on Safari - #5 by thameera
The newer versions of SPA SDK lets you use localstorage as an option to store these refresh tokens. See the note here: Auth0 Single Page App SDK
3 Likes
Thanks for sharing that knowledge @thameera !
system
June 18, 2020, 10:09am
4
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.