<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Does Sign-In Widget Require Third-Party Cookies
Apr 10, 2025
Authentication
Identity Threat Protection
Okta Classic Engine
SDKs & Libraries
Overview

If third-party cookies are disabled in the browser settings, certain functionality of the Okta Sign-In Widget may not work as expected. This article will explain options for mitigating this.

Applies To
  • Sign-in Widget
  • Chrome/Firefox
  • Okta Classic Engine
Cause

If Third Party Cookies are disabled in a browser then any SPA set up to run the Embedded Okta Sign-In Widget will be unable to SSO if the user already has an Okta session unless refresh tokens are enabled. The reason for this is that the default configuration of the Sign-In Widget uses a hidden iFrame to pass the sessionToken to the OAuth endpoint. This is where the user's session cookie is set in the browser. In this case, it would be set in the iFrame, which is what "Disallow Third Party Cookies" disables. Since the session cookie is not set in the iFrame, the refreshing of the token or a call to check the user's session status would fail with an OAUTH_ERROR message.

Solution

There are three options to resolve this:

  • Use the redirect option 

The Widget will redirect to our OAuth /authorize endpoint, the session cookie gets set in a first-party context, and then Okta will redirect back to the app (instead of silently opening the hidden iframe and exchanging the sessionToken in the same page). This can be done by setting authParams.display to page (as described in okta-signin-widget documentation).

  • Use a custom domain 

If the issuer for the SPA is set to the Custom Okta Domain and the app is hosted on the same domain, this will eliminate the third-party context.

This is not recommended because major browsers like Chrome, Firefox, and Safari are removing third-party cookie support. For more information, refer to Deprecation of Third-Party Cookies in Google Chrome.

Related References

 

Recommended content

Still looking for help?
Loading
Does Sign-In Widget Require Third-Party Cookies