Apple preventing Cross-site tracking

[patluri43]

Apple is preventing the cross-site tracking in version 13.1 and this is causing "session/me" and "getwithoutprompt" calls to fail.

[aarongranick-okta]

internal ref: OKTA-296984

[ketankhade]

Apple is preventing the cross-site tracking in version 13.1 and this is causing "session/me" and "getwithoutprompt" calls to fail.

Also, I'm facing same issue, because of preventing cross-site tracking "session/me" API is failing. If I enable preventing the cross-site tracking on safari it's working fine. Does anyone have an alternative solution?

Thanks,

Ketan

[aarongranick-okta]

@ketankhade We have updated our documentation on this issue: https://github.com/okta/okta-auth-js#third-party-cookies

You may be able to avoid this problem by using a custom domain: https://developer.okta.com/docs/guides/custom-url-domain/enable-the-custom-domain/ This may work because your app is now running on a "1st party" domain.

For "3rd party" domains, we are working on a longer term solution. In the short term our advice is to avoid using the API methods which are affected, or inform your users that 3rd party cookies are required.

[NivethaMano]

Do we have any other workaround here. We are using OKTA SIGN-IN widget to login which used cookies. We are facing similar problem.

[swiftone]

@NivethaMano - I'm working on upgrading the documentation in this sprint. A lot depends on what specifically you are doing that is breaking. What methods are you calling that fail? What are you trying to do with them? Then I can see if we have a workaround beyond a custom domain.

[sjhanson]

I'm also running into issues with the tokenManager.renew('accessToken') call. I think we can work around the rest of the limitations if we had a way to refresh our token. I tested on Safari v14.0 and it wouldn't work until I unchecked "Prevent cross-site tracking". Any ideas?

[aarongranick-okta]

@sjhanson We are currently working on a solution for renewing tokens that does not use cookies. This new solution is scheduled for release later this year. Unfortunately, the current implementation does require cookies and will fail if 3rd party cookies are blocked (such as "Prevent cross-site tracking" feature). Currently, token renew will fail on these browsers. Users must re-enter credentials in a new auth flow to obtain new tokens. Our current recommendation is to configure your token lifespan to a high time value (same or greater value of your session lifespan), then there will be no attempt to renew tokens until the session has also expired.

[jamesking]

@aarongranick-okta is there an update on a solution that doesn't break in Safari or Chrome Incognito? Thanks!

[swiftone]

@jamesking - Yes! We now have One Time Refresh Tokens available in Early Access. (https://developer.okta.com/docs/release-notes/#one-time-use-refresh-token-is-now-in-early-access-ea)

These allow you to request a refresh token and okta-auth-js will use it to renew your tokens rather than relying on the okta session (which means no third party cookie issues)

This guide is intended for one of our front end SDKs, but this section talks about the concept of the refresh token: https://developer.okta.com/docs/guides/sign-into-spa/react/before-you-begin/#refresh-tokens-and-spas

Meanwhile, this page of that same guide talks about how to turn on this early access feature and how to set up your app/client_id in the Okta console to be able to request the refresh token: https://developer.okta.com/docs/guides/sign-into-spa/react/create-okta-application/

Once you have the changes in the okta console, for you app you just need to use the latest okta-auth-js and include 'offline_access' in your requested scopes. The code will automatically use the refresh token to renew if one is available.

Hope that helps!

[GreatEarl]

Has this issue been fixed?

[shuowu]

@GreatEarl We are still working on "the longer term" solution. For now, you can follow the suggestion in https://github.com/okta/okta-auth-js/issues/371#issuecomment-643431027 to use the custom domain solution as a workaround.

[GreatEarl]

@shuowu Thanks for the advise but apparently, this issue does not exist in latest Safari v.14. At least, what didn't work for me in v.13 - signing up a new user, works fine now.