Auto Refresh Access Token and 3rd Party Cookies issues


I’m working with the @okta/okta-react package and have wrapped my react-router routes with the SecureRoute component. Everything works as far as initial login, redirect, storing id/access Tokens and setting auth object on the wrapped component’s props.

I then use those accessTokens when a user takes an action that causes not-GET calls to one of our backing services.

However, I’m running into issues with the autoRefresh of the access tokens, in that the iframe makes the behind-the-scenes call to the authorize endpoint, but on return the cookies are not able to be set, unless I explicitly tell my browser to accept 3rd party Cookies at the okta (or during dev work oktapreview) domain. I cannot reliably expect all of my customers to turn on 3rd party cookies for okta.

Does anyone have any guidance, or have any idea about common issues for this flow?


Hi Charlieh,

Did you solve third party cookies issue?


One way to handle this would be to host your application on the same domain as your Okta domain (via a Custom URL domain). That way the cookies that are being set and accessed are no longer 3rd party and end-users will not need to update their browser settings in order for your application to work for them.