SSO doesnt work when incognito/iframe

eldonio · July 1, 2020, 1:06pm

i have 2 SPA websites, but using 1.10.0 of the @auth0/auth0-spa-js package.

If i login to SPA 1 and from spa 1 i open a popup window and spa2 should load in an iframe, this works on most cases but we have seen that when using chrome in incognito mode the second spa will ask for a login.

if i login to SPA1 and then copy the SPA2 into another tab, then it will not ask for a login and load correctly.

If not using incognito mode it appears to work the majority of the time.

From what i can see SSO doesn’t appear to be working when in an iframe and incognito.

dan.woda · July 2, 2020, 10:18pm

I am not sure I understand what you are reporting? Incognito is meant to start a new browsing session, without the existing cookies (that enable silent authentication).

eldonio · July 6, 2020, 10:15am

Let me try to explain a bit better,
I open a incognito browser and browse to the SPA1 website, the login screen is displayed and i login to SPA1.
I browse to a page within SPA1 and click a button, clicking this button opens a component that contains an iFrame which loads the second SPA (SPA2).
I would have expected SPA2 to sliently authenticate and not require the user to login a second time.

The issue is that the login screen is been displayed.

dan.woda · July 6, 2020, 3:57pm

Okay I see what you are saying.

Can you please DM me a HAR of this transaction.

Thanks,
Dan

zivrosen · July 28, 2020, 3:02am

Hi @eldonio wondering if you’ve had luck solving or finding a workaround for this issue?

Thanks,
Ziv

eoghan.bonass · October 6, 2020, 9:18am

We were having a similar issue. Child apps with the auth0 SDK nested in iframes could not authenticate in Chrome Incognito or Safari.

We were able to fix the issue by creating a custom domain for each of our tenants. We’re not using refresh tokens.

Hopefully this could be helpful

Cheers

Eoghan

Antoni · October 30, 2020, 7:30pm

Yes, this important bug.

I will explain if a user uses chrome 83+ in incognito mode, it has an option by default
(x) Block third-party cookies in Incognito

Then, we start our application in the iframe, because its extension for outlook, it will occur error in your code here auth0-spa-js, because you cannot ask window.localStorage:
const json = window.localStorage.getItem(cacheKey);

Error: Failed to read the ‘localStorage’ property from ‘Window’: Access is denied for this document.

github.com

auth0/auth0-spa-js/blob/cb125b61fa5a4e3d877939bb3d4e104bda8f3418/src/cache.ts#L102


      
                localStorage.removeItem(localStorage.key(i));
              }
            }
          }
          
          
/**
           * Retrieves data from local storage and parses it into the correct format
           * @param cacheKey The cache key
           */
          private readJson(cacheKey: string): CachePayload {
            const json = window.localStorage.getItem(cacheKey);
            let payload;
          
          
  if (!json) {
              return;
            }
          
          
  payload = JSON.parse(json);
          
          
  if (!payload) {
              return;

So, you cannot use localStorage, cookies in an iframe if the browser in incognito.
This is an urgent bug because auth0 broken our application, you should display something, but not breaking the application.

michael_hindley · December 8, 2020, 4:44pm

@dan.woda React app built with “@auth0/auth0-react”: “1.2.0” and “@auth0/auth0-spa-js”: “1.13.5”,
no longer works in incognito in chrome.

The behaviour is quite troubling, since it seems to manifest in a way that a user can login and get to the ui, but once there, no XHR requests work due to the user not being authenticated in the Apollo client which gets the token from the Auth0Provider, the Auth0Provider in turn seems to think that the user is authenticated but not all functionality is supported.

We are using getTokenSilently() from the auth0Client and set it as header for the Apollo link, and the call to getTokenSilently() is returning nothing, but Auth0Provider says the user is authenticated.

Ultimately, the Apollo client reports an error from the backend that the token is missing in the request. And this only happens in incognito.

dan.woda · December 9, 2020, 10:38pm

Hi @michael_hindley,

Have you tried the solution that @eoghan.bonass suggested?

system · December 24, 2020, 10:38pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Different behavior of auth0-spa-js in Incognito Chrome? Help sso , application	3	455	January 3, 2024
Auth0 SSO with iframe Help auth0 , login , iframe	3	10675	October 26, 2020
Auth0 going infinte on chrome incognito mode Help login-experience , signup-prompt-new-experience	2	962	June 20, 2023
Issue with auth login in chrome incognito mode Help auth0 , login , issue , incognito	2	7383	October 14, 2020
Unable to login to AUth0 in incognito mode Keeps reloading the browser window Help login	12	11237	July 6, 2021

SSO doesnt work when incognito/iframe

Related Topics