I have a universal React app; currently authentication is being handled client-side in SPA mode. This works great, except in Safari, where webAuth.checkSession utterly breaks unless the user disabled cross-origin tracking.
I’m considering alternatives. One way is to handle refresh server side through and API/Resource server, asking it to verify session using non-expired access tokens. I’m wondering if this is a supported, or at least not discouraged workflow; the API server is our owned api in this scenario.
Another possibility is forcing the universal app to handle authentication server-side only, mimicking a traditional SSR app.
A third is using custom domains, but that would require some additional organizational buy-in, and frankly seems inelegant for a basic auth feature.
Advice would be much appreciated!