Troubleshoot Renew Tokens When Using Safari

In some cases, renewing tokens with silent authentication does not work as expected with the latest version of the Safari browser. Recent versions of the Safari browser introduced a new feature called Intelligent Tracking Prevention (ITP). ITP is designed to prevent websites from tracking user activity across multiple websites. By default, ITP is active. You can determine if the Safari version you are using has ITP by going to the Preferences > Privacy tab and seeing if the Prevent cross-site tracking option is checked.

Authorization - Renew tokens when using Safari - Safari privacy preferences

ITP and browser behavior

Enabling ITP causes the browser to behave as if you had disabled third-party cookies in the browser, which makes it impossible to obtain a new token without displaying anything to the user. This is akin to the way OpenID Connect (OIDC) uses iframes for handling sessions in SPAs.

In the SPA SDK (which is our recommendation) getTokenSilently performs silent authentication unless you configure the SDK to use rotating refresh tokens.

Workarounds

Recent advancements in user privacy controls in browsers adversely impact the user experience by preventing access to third-party cookies. You can use Refresh Token Rotation as an alternative that provides a secure method for using refresh tokens in SPAs while providing end-users with seamless access to resources without the disruption in UX caused by browser privacy technology like ITP.

Alternatively, you can work around the issues posed by ITP by using Auth0's custom domains functionality, particularly if the custom domain lives on a subdomain of the application's website domain. For example, if your application is hosted on example.com, the custom domain would need to be of the format subdomain.example.com.

ITP debug mode

Safari Technology Preview offers an "Intelligent Tracking Prevention Debug Mode" that you can use to troubleshoot ITP issues. You can find instructions on how to debug ITP in this blog post from WebKit.

NOTE: The instructions mention how to permanently classify a custom domain as having tracking abilities for testing purposes. In later versions of Safari Technology Preview, though, the domain to store the User Defaults for this setting changed from com.apple.SafariTechnologyPreview to com.apple.WebKit.Networking. If you are having trouble with the commands mentioned in the instructions, try these:

  • Classify a site as having tracking abilities: defaults write com.apple.WebKit.Networking ResourceLoadStatisticsManualPrevalentResource example.com

  • Inspect the setting: defaults read com.apple.WebKit.Networking ResourceLoadStatisticsManualPrevalentResource

  • Delete the setting: defaults delete com.apple.WebKit.Networking ResourceLoadStatisticsManualPrevalentResource

You will need to restart Safari Technology Preview every time you make changes for the settings to take effect.