SSO Not Working on Safari. Initial Login on Main Site Works, Second Site Fails

Hi Community,

I am having a problem with our Auth0 SSO setup on Safari.

We have recently added Circle.so to our website - https://circle.so - to handle our community portal requirements. We have Circle set up for SSO via Auth0 so when a user logs into our website they are also logged into Circle. We then serve up the community portal in an iFrame to logged in members. This is working fine in Chrome and Firefox. However, it does not work in Safari.

I constantly get the “Oops! Something went wrong” error page and the error is always “Missing Client Parameter”.

I’ve tried debugging the flow in dev tools and it seems that the login request to our website works fine. The first instance of the login request in the Network tab in dev tools returns a 200 response, but on subsequent times the response to the login request is a 400. This mirrors what I see in the browser, where there is a quick flash of the logged in page that I expect to see, then the error pops up.

After the failed login if I then go to our account in Circle, log in there, then return to our website and reload, the login is recognised and everything works.

This only happens on Safari - mobile and laptop. On other browsers the SSO function works as expected.

Also if I remove the SSO request to Circle from the flow, I can log in fine using Safari, so it is definitely background SSO login to Circle that is causing the issue.

We are not using a custom domain in our login flow and use the Classic version of the Universal Login widget.

Any feedback you can give would be gratefully received.

Thanks.

Welcome to the Auth0 Community @phil6 ! :slight_smile:

First of all, congratulations on implementing and having it working on browsers supporting third party cookies!
Also, I appreciate the detailed description of symptoms!

This looks as if a third-party initiator (your own application) initiates the login to Circle by sending the user to the Circle’s login route, which, as a result, redirects the user to the Auth0 log page. Ref.

Safari does not support third-party cookies.

I believe the login to your own app (on Safari) works because either of:
-Auth0 tenant and your own application are hosted on the same second-level domain (so no issues related to third-party cookies);
or

  • Your own application relies on other than cookies-based SSO flow (like refresh token rotation).

In that instance, I believe your login doesn’t involve Auth0 at all; user logs in through Circle’s login feature->Circle returns their own auth cookies to the browser, so the Circle app (same domain) has access to those cookies (no third-party cookies involved here).

This results in different domains of Circle and Autho tenant. And your tests suggest that Circle supports cookies-based SSO integrations.

First I would consult Circle’s support team about their options. With your own application, you have more flexibility in terms of how you integrate with Auth0. But with Circle, it depends on what they support/expose.

Second, implementing a custom domain feature on the Circle and Auth0 side would remove the third-party cookies issue.

I hope this helps / happy to hear your thoughts or follow-up questions!

Also just a heads up @phil6 on Google’s plan to disable third party cookies: Chrome Phasing Off Third-Party Support Cookies

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.