Hello, I have long hesitated before implementing Auth0. And I am starting to feel like I have been cheated twice.
Let me explain : The documentation is VERY misleading. Everything is made to corner users into paying for a custom domain. The problem is that you end up realising it after you have implemented an almost working solution.
I first decided to use embedded Lock v11 and could not understand why it was not working under Safari and Brave. For a couple hours, I scouted internet for answers, only to realize that the new versions of Lock needed a custom domain to work properly when third party cookies are blocked (Safari, Brave and Chrome if user block them).
Auth0 docs pointed at using Universal Login to circumvent this issue. So here I am, deleting code, replacing bits, wasting time to use Universal Login. And now, after trying to understand why my App logs out whenever I hit refresh (under Brave), I am just discovering that it is because of cross origin requests again and that I should either use a custom domain or use…Universal Login !
Furthermore, not only your code examples for UL make use of
checkSession(), which does not work with Brave & safari unless you buy a custom domain. But the docs also mention that UL would allow developers not to use a custom domain without ever explaining how.
No need to say that after wasting so much time to understand the ins and outs of Auth0, I find it absolutely appalling that your paid user acquisition strategy mostly relies on confusing developpers.
Authentication & authorization are confusing and hard to grasp for newcomers. Adding an extra layer of complexity completely ruins the experience.
While I could certainly bear the cost of using a custom domain, the way I have been dragged into using one certainly put me off Auth0 as a long term solution for my business.
The bottom line is that Auth0 does not offer ANY single tutorial that works under all famous browsers (Safari !) and makes use of the free tier.
We are moving towards a privacy focused web, where third party cookie blocking is something perfectly reasonable, as shown by the latest privacy measures taken by Apple.
I will now go back to the docs to find a way around using a custom domain. I wish the experience had been transparent and straightforward.
It would have been a lot more enticing, had I been told about how a CD would translate in decreasing of rebound rate, for example. But instead, I feel like I have been duped by a lame car sales guy.
Update : According to this doc, it seems that the only way to be enable a user to refresh the page on Safari is to use a custom domain.