Auto Refresh Access Token and 3rd Party Cookies issues


#1

Hello,

I’m working with the @okta/okta-react package and have wrapped my react-router routes with the SecureRoute component. Everything works as far as initial login, redirect, storing id/access Tokens and setting auth object on the wrapped component’s props.

I then use those accessTokens when a user takes an action that causes not-GET calls to one of our backing services.

However, I’m running into issues with the autoRefresh of the access tokens, in that the iframe makes the behind-the-scenes call to the authorize endpoint, but on return the cookies are not able to be set, unless I explicitly tell my browser to accept 3rd party Cookies at the okta (or during dev work oktapreview) domain. I cannot reliably expect all of my customers to turn on 3rd party cookies for okta.

Does anyone have any guidance, or have any idea about common issues for this flow?

Thanks!