Troubles with username/password login in Safari with "Prevent cross-site tracking" option

Good afternoon. Please help with the problem in the Safari browser. I have an application built in Ruby on Rails (my domain is prepjet.auth0.com). This issue is only reproducible in Safari browser, with the “Prevent cross-site tracking” option enabled, which is enabled by default. If you turn it off, everything works. All other browsers are fine too. The very problem with authorization using username / password. That is, through social networks (Linkedin, Facebook, Google) everything works fine. We tried to create a fallback page with javascript code (as written here - https://auth0.com/docs/login/embedded-login/cross-origin-authentication?_ga=2.164244607.1761874.1595861041-527761877.1589894702#create-a-cross-origin -verification-page), but the problem is the same. We cannot force users to remove the “Prevent cross-site tracking” option in the Safari browser. Please help me solve the problem. What can be done?

With iframe solution with fallback page the same result like with standard method, but different params - in the URL, when troubles with login, I can see next params - “failure?message=server_error&strategy=auth0” - with standard method and “failure?message=invalid_request&strategy=auth0” - with iframe fallback page with JS code.

Hello, @andrew.e.norton! Welcome to the Auth0 Community.

This is because you are using third-party cookies. Auth0 is setting cookies in your auth0.com domain that can be used in yourapplicati.on, which Safari considers third-party cookies, and blocks.

The solution to this is to implement a Custom Domain, which is available for our paid offerings. A Custom Domain will allow you to change your auth0.com domain for anything you’d like, so you can use, for example, login.yourapplicati.on, and then host your application in www.yourapplicati.on. Note how both of them are based on yourapplicati.on? That means that the cookie will now be first-party, and no longer a third-party cookie.

1 Like