Brilliant, thanks for the quick response.
I went ahead and tried it and the refresh is now working with 3rd party cookies disabled, as you said, thanks! One-liner lives here in case anyone else reading this is interested.
Have a question about local storage, I realize this situation in general is a complex issue with multiple tradeoffs and I’m probably ignorant on the reasoning here. What I’m hoping to understand: why local storage vs a cookie?
HttpOnly flag set. So on that project we set the
refresh_token as a cookie with the usual security flags and a path, and then the server subsequently returns ephemeral
access_tokens that live in browser memory only. Obviously the spec reflects a lot of smart people’s efforts, and my above solution was built before that spec was finalized, so I may be ignorant of a problem with the above approach.
I do realize refresh token rotation means rotating refresh tokens frequently and I’m guessing there are reasons the token has to live local storage, but I’m curious to understand why. What about this system precludes using cookie(s)? If I understand right, on SPA page init we’re making a request to the Auth0 endpoint anyway. Seems like the endpoint could ostensibly respond to a cookie-presented token then, no?
Are there plans in the works to support cookies in the future? Or is this whole idea fundamentally Not A Thing.
Thanks again, appreciate your insight!