SSO doesnt work when incognito/iframe

i have 2 SPA websites, but using 1.10.0 of the @auth0/auth0-spa-js package.

If i login to SPA 1 and from spa 1 i open a popup window and spa2 should load in an iframe, this works on most cases but we have seen that when using chrome in incognito mode the second spa will ask for a login.

if i login to SPA1 and then copy the SPA2 into another tab, then it will not ask for a login and load correctly.

If not using incognito mode it appears to work the majority of the time.

From what i can see SSO doesn’t appear to be working when in an iframe and incognito.

I am not sure I understand what you are reporting? Incognito is meant to start a new browsing session, without the existing cookies (that enable silent authentication).

Let me try to explain a bit better,
I open a incognito browser and browse to the SPA1 website, the login screen is displayed and i login to SPA1.
I browse to a page within SPA1 and click a button, clicking this button opens a component that contains an iFrame which loads the second SPA (SPA2).
I would have expected SPA2 to sliently authenticate and not require the user to login a second time.

The issue is that the login screen is been displayed.

Okay I see what you are saying.

Can you please DM me a HAR of this transaction.


Hi @eldonio wondering if you’ve had luck solving or finding a workaround for this issue?


We were having a similar issue. Child apps with the auth0 SDK nested in iframes could not authenticate in Chrome Incognito or Safari.

We were able to fix the issue by creating a custom domain for each of our tenants. We’re not using refresh tokens.

Hopefully this could be helpful :slight_smile: