I’m working with the
@okta/okta-react package and have wrapped my react-router routes with the
SecureRoute component. Everything works as far as initial login, redirect, storing id/access Tokens and setting
auth object on the wrapped component’s props.
I then use those accessTokens when a user takes an action that causes not-GET calls to one of our backing services.
However, I’m running into issues with the autoRefresh of the access tokens, in that the iframe makes the behind-the-scenes call to the
authorize endpoint, but on return the cookies are not able to be set, unless I explicitly tell my browser to accept 3rd party Cookies at the
okta (or during dev work
oktapreview) domain. I cannot reliably expect all of my customers to turn on 3rd party cookies for okta.
Does anyone have any guidance, or have any idea about common issues for this flow?