I have a universal React app; currently authentication is being handled client-side in SPA mode. This works great, except in Safari, where webAuth.checkSession utterly breaks unless the user disabled cross-origin tracking.
I’m considering alternatives. One way is to handle refresh server side through and API/Resource server, asking it to verify session using non-expired access tokens. I’m wondering if this is a supported, or at least not discouraged workflow; the API server is our owned api in this scenario.
Another possibility is forcing the universal app to handle authentication server-side only, mimicking a traditional SSR app.
A third is using custom domains, but that would require some additional organizational buy-in, and frankly seems inelegant for a basic auth feature.
Hey there @akotlar, when you see the issues with webAuth.checkSession is it presenting an error message? When you reference custom domains as an inelegant solution I would like to have a better understanding of what you mean so I can relay the feedback. Below I have referenced a similar thread that came to the conclusion that using a custom domain helped resolve the situation. Please let me know if you have any questions as I am happy to help, Thanks!
Hi there @akotlar, I was hoping to find out how things are going and if you have any more questions on this topic? Please let me know if you need any assistance!