Last Updated: Jul 28, 2025

Overview

This article addresses an issue where silent authentication attempts fail, preventing Single Sign-On (SSO) from functioning correctly and resulting in the following error:

login required

Applies To

• Single Sign-On (SSO)
• Login Required
• Third-Party Cookies
• Cross-Origin Authentication

Cause

Major web browsers are increasingly blocking third-party cookies by default as a security measure. If the cookie required for Single Sign-On (SSO) is from a different domain than the application, the browser treats it as a third-party cookie and blocks it. This action prevents silent authentication and causes the process to fail.

Solution

There are two methods to resolve this issue. The preferred method is listed first.

1. Configure the web application and the authentication tenant to share the same top-level domain. This makes the SSO cookie a first-party cookie, which browsers do not block.

• For example, if the application is hosted at <myapplicationdomain.com>, configure a custom domain for the Auth0 tenant, such as <login.myapplicationdomain.com>. In this case, the cookie from <login.myapplicationdomain.com> is not considered third-party when requested from <myapplicationdomain.com>.

2. If using a shared top-level domain is not possible, use refresh tokens to obtain new access tokens. This method allows for silent authentication without relying on the SSO cookie. For additional information, see documentation regarding Refresh Tokens and Access Settings.

Related References

• Configure Custom Domains with Auth0-Managed Certificates
• Refresh Tokens
• Access Settings
• Cross-Origin Authentication