Third Party Cookies for SSO

Overview

Auth0 uses a cookie for SSO (single-sign-on) - the auth0 cookie.

Most major browsers (Safari/Firefox) already block third-party cookies in non-incognito mode by default. Chrome is expected to do the same soon.

If this cookie gets blocked, SSO will not work, and silent authentication requests not using refresh tokens will get the login required error.

Applies To

• Regular Web Applications
• SPA (Single Page Applications)

Cause

Blocking 3rd party cookies is a security measurement browsers are enforcing.

Solution

The ideal solution to avoid this issue is to have the web application and the Auth0 tenant share the same TLD+1 (top-level domain).

For example, if the application is here:

• myapplicationdomain.com

The Auth0 tenant could use the following custom domain:

• login.myapplicationdomain.com

In that case, the SSO cookie set by Auth0 during authentication using login.myapplicationdomain.com will not be seen as 3rd party when making a request from myapplicationdomain.com

If that is not possible, there is a workaround, which is using refresh tokens as a mechanism to gather new access tokens without relying on the SSO cookie. Please see the Related References section (Refresh Tokens and Access Settings) for more details.

Related References

• Custom Domain Best Practices - Architecture and Testing Questions
• Configure Custom Domains with Auth0-Managed Certificates
• Refresh Tokens
• Access Settings
• Chrome Phasing Off Third-Party Support Cookies