I have problems with silent reauthentication in the “latest” Chrome 92.
I’ve read and understand the well described topic in Why is authentication lost after refreshing my single page application? but currently there appears to be a problem in Chrome only currently. My application has no Social Connection configured , it’s only the username/password method allowed, Chrome is with set allowed third-party cookies and I can see that after valid login the cookies properly set to true, but on refresh they are cleared (after the silent request to Auth0 server).
There are no issues with Firefox for instance. There’s also no problem if I set the localstorage as cacheLocation.
What could be the problem? Is it something Chrome has “changed”, or something locally on my side?
In fact I see Firefox is logging some info which can give more insight for the reason why it doesn’t work in Chrome.
Cookie “auth0.is.authenticated” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read Set-Cookie - HTTP | MDN
And I’m 99% sure Chrome already rejects such cookies.
I guess there’ll be no problem when set custom domain as then the SPA and the authorization server will be from the same domain
If I boot up our vanilla js quickstart in chrome 92:latest everything works as expected. Can you provide a HAR of your failed transaction in a DM please?
Is there a reason why you don’t use this strategy?
I currently use the localstorage strategy, no issues with it, it’s perfect.
But as the cookies is the default one when starting the project I was at first puzzled what and why it’s not working, and was just going to try Okta when I saw it’s actually working in Firefox and started digging more to find out why from dev’s perspective.
As you said it’s working for you properly I even more started to think it’s just something specific on my Chrome. And finally I think I found out why. It’s because of this Chrome extension Privacy BadgerPrivacy Badger - Chrome Web Store.
So there’s nothing wrong with Auth0. What and why Privacy Badger does so that it prevents these Auth0 cookies I don’t know.
Thanks for your assistance , I believe this “issue” can be resolved now.