Using Auth0 in Safari with ITP Enabled

Problem statement

The requests to ‘/authorize’ always redirect to ‘*/login’ in Safari when ITP (Intelligent Tracking Prevention) is enabled before the session lifetime has ended. Are there any recommendations to allow users to stay authenticated as expected when ITP is enabled?

Cause

ITP requires users to interact with sites in order for them not to be classified as 3rd party or tracking. Interaction requires actual interaction - such as mouse movements, clicks, or typing. A visit is not sufficient.

The ‘/authorize’ endpoint uses cookies to authenticate. This means that if the application uses a flow like Silent Authentication to renew tokens, it cannot do that without user interaction when ITP is enabled.

However, renewing tokens with the refresh token flow is unaffected by ITP because that endpoint does not use cookies to authenticate.

Solution

Although it may be possible to direct users to disable ITP (Prevent cross-site tracking setting) in Safari, this likely is not a long-term solution.

Instead, using the refresh token flow to renew tokens will allow the application to bypass this particular issue around third-party cookies entirely and allow users to retain access to necessary resources. More on implementing refresh tokens in an application can be found in the product documentation at Refresh Tokens - SDK support.