SSO doesnt work when incognito/iframe

i have 2 SPA websites, but using 1.10.0 of the @auth0/auth0-spa-js package.

If i login to SPA 1 and from spa 1 i open a popup window and spa2 should load in an iframe, this works on most cases but we have seen that when using chrome in incognito mode the second spa will ask for a login.

if i login to SPA1 and then copy the SPA2 into another tab, then it will not ask for a login and load correctly.

If not using incognito mode it appears to work the majority of the time.

From what i can see SSO doesn’t appear to be working when in an iframe and incognito.

I am not sure I understand what you are reporting? Incognito is meant to start a new browsing session, without the existing cookies (that enable silent authentication).

Let me try to explain a bit better,
I open a incognito browser and browse to the SPA1 website, the login screen is displayed and i login to SPA1.
I browse to a page within SPA1 and click a button, clicking this button opens a component that contains an iFrame which loads the second SPA (SPA2).
I would have expected SPA2 to sliently authenticate and not require the user to login a second time.

The issue is that the login screen is been displayed.

Okay I see what you are saying.

Can you please DM me a HAR of this transaction.


Hi @eldonio wondering if you’ve had luck solving or finding a workaround for this issue?


We were having a similar issue. Child apps with the auth0 SDK nested in iframes could not authenticate in Chrome Incognito or Safari.

We were able to fix the issue by creating a custom domain for each of our tenants. We’re not using refresh tokens.

Hopefully this could be helpful :slight_smile:



Yes, this important bug.

I will explain if a user uses chrome 83+ in incognito mode, it has an option by default
(x) Block third-party cookies in Incognito

Then, we start our application in the iframe, because its extension for outlook, it will occur error in your code here auth0-spa-js, because you cannot ask window.localStorage:
const json = window.localStorage.getItem(cacheKey);

Error: Failed to read the ‘localStorage’ property from ‘Window’: Access is denied for this document.

So, you cannot use localStorage, cookies in an iframe if the browser in incognito.
This is an urgent bug because auth0 broken our application, you should display something, but not breaking the application.

@dan.woda React app built with “@auth0/auth0-react”: “1.2.0” and “@auth0/auth0-spa-js”: “1.13.5”,
no longer works in incognito in chrome.

The behaviour is quite troubling, since it seems to manifest in a way that a user can login and get to the ui, but once there, no XHR requests work due to the user not being authenticated in the Apollo client which gets the token from the Auth0Provider, the Auth0Provider in turn seems to think that the user is authenticated but not all functionality is supported.

We are using getTokenSilently() from the auth0Client and set it as header for the Apollo link, and the call to getTokenSilently() is returning nothing, but Auth0Provider says the user is authenticated.

Ultimately, the Apollo client reports an error from the backend that the token is missing in the request. And this only happens in incognito.

Hi @michael_hindley,

Have you tried the solution that @eoghan.bonass suggested?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.