i have 2 SPA websites, but using 1.10.0 of the @auth0/auth0-spa-js package.
If i login to SPA 1 and from spa 1 i open a popup window and spa2 should load in an iframe, this works on most cases but we have seen that when using chrome in incognito mode the second spa will ask for a login.
if i login to SPA1 and then copy the SPA2 into another tab, then it will not ask for a login and load correctly.
If not using incognito mode it appears to work the majority of the time.
From what i can see SSO doesn’t appear to be working when in an iframe and incognito.
I am not sure I understand what you are reporting? Incognito is meant to start a new browsing session, without the existing cookies (that enable silent authentication).
Let me try to explain a bit better,
I open a incognito browser and browse to the SPA1 website, the login screen is displayed and i login to SPA1.
I browse to a page within SPA1 and click a button, clicking this button opens a component that contains an iFrame which loads the second SPA (SPA2).
I would have expected SPA2 to sliently authenticate and not require the user to login a second time.
The issue is that the login screen is been displayed.
Then, we start our application in the iframe, because its extension for outlook, it will occur error in your code here auth0-spa-js, because you cannot ask window.localStorage: const json = window.localStorage.getItem(cacheKey);
Error: Failed to read the ‘localStorage’ property from ‘Window’: Access is denied for this document.
So, you cannot use localStorage, cookies in an iframe if the browser in incognito.
This is an urgent bug because auth0 broken our application, you should display something, but not breaking the application.
@dan.woda React app built with “@auth0/auth0-react”: “1.2.0” and “@auth0/auth0-spa-js”: “1.13.5”,
no longer works in incognito in chrome.
The behaviour is quite troubling, since it seems to manifest in a way that a user can login and get to the ui, but once there, no XHR requests work due to the user not being authenticated in the Apollo client which gets the token from the Auth0Provider, the Auth0Provider in turn seems to think that the user is authenticated but not all functionality is supported.
We are using getTokenSilently() from the auth0Client and set it as header for the Apollo link, and the call to getTokenSilently() is returning nothing, but Auth0Provider says the user is authenticated.
Ultimately, the Apollo client reports an error from the backend that the token is missing in the request. And this only happens in incognito.