As we all know, Safari’s ITP blocks 3rd-party cookies. The token.getWithoutPrompt() method relies on cookies being sent in an iframe to have an active session and retrieve a token. I have not found any work-around for this. Are there any updates?
My current solution is to detect when this fails and fallback to a full-page redirect. This is a poor UX, but luckily only affects Safari users. It also requires additional work in our app to handle this flow. I could use a popup, but those are unreliable.
In reading about ITP, it looks like there are some cases where I thought that 3rd party cookies would be sent. For example, if you interact with a site directly as a user, then I thought 3P cookies would be sent for 24 hours. I likely misunderstood, because my testing of this didn’t work.
I’m curious to know what if anything others are doing to get around this problem.
I have looked into Safari’s storage API with no luck. It allows an iframe to request storage access, which also grants cookie access. But it requires a user gesture, so it can’t be used within a hidden iframe.
I also looked into the idea of using a session Id to retrieve a token, so the cookies would not be required. But I can’t find a way to access the session id of an active session in the main window or after a login redirect. It doesn’t seem like I ever get access to the session id.
Thanks andrea, my responses to that are:
- Refresh tokens don’t solve the problem because how do we get refresh tokens? Same problem as getting tokens to begin with. Also for a web app, tokens shouldn’t be stored in the browser. Doing it with a redirect is the “normal” way, but if I have a dashboard with 10 components, each requiring their own token to call their own API, I obviously can’t let all of them redirect at the same time. How can I collect all the tokens I need in this scenario?
- This is fine except that okta doesn’t support multiple domains for a tenant. I have a case of two domains for the same company, and my web app lives on domain A, while the auth servers live on domain B. I can’t move either, so my only option is to have okta also support domain A so they can live on the same domain.