After a user logs in/signs up, the silent authentication fails and they are sent to the signup page (using Auth0 Universal Login). After being sent to the login page, it sees that they are already logged in so they get redirected back to my website, in which silent auth fails again and sends them to the sign up page, and this loops on forever.
I’ve noticed this problem only occurs on Safari (our target audience are mobile users). But since most of our uers use iPhone to access the website, the problem might occur on other web browsers, I just have only seen it on Safari.
I have a feeling it is a problem with Safari’s cookies, as stated in this Auth0 post I saw:
but I’m not sure how I would fix this problem. Is this with Auth0 or do I have to configure a certain way for the cookies to work on Safari?
Any help is much appreciated!
The issue you’re seeing (as pointed out in the thread you mention) is that third-party cookies are being blocked in Safari (thanks to its ITP technology), and you will find the same thing in other browsers that also block third-party cookies (such as Brave, with its shields up). While not a tracking cookie, Auth0 still relies on the ability to transmit this cookie in order to perform silent reauthentication.
This is mostly with us to find another way to allow silent reauthentication without using this cookie. We currently have a beta release of the SDK that would allow you to use local storage to keep your access token for longer (surviving page refreshes), although it doesn’t solve the whole problem as it depends on the expiry of your access tokens. We have more advancements in this area coming too.
You may enable the rotational refresh tokens for your single-page applications. With Refresh Token enabled calls to renew the tokens don’t depend on cookies so it will help to avoid 3rd party cookie limitations.
