Overview
The deprecation of third-party cookies by Chrome can impact the Sign-in Widget experience in various ways, depending on your architecture and deployment model. Okta has partnered with Google to exclude our domains from the cookie deprecation, utilizing origin trial tokens to give customers additional time to implement the suggested permanent solutions.
Additionally, admins or users can update Chrome policies to allow third-party cookies, excluding their browser from the Chrome facilitated 1% cookie deprecation testing. To select this option, follow the instructions in Google's help article under the section "Set the policies" and the "Allow or restrict all third-party cookies" accordion menu.
Trial Token Scripts
Within this article, Okta has provided five different JavaScript files that contain scripts to programmatically append the meta tag to the consumer's DOM. Each script utilizes the Trial token for the respective Okta domain. See below for details on how to embed the script.
| Domain | Sample Script |
|---|---|
| https://oktapreview.com |
<script src="REPLACE_WITH_YOUR_OKTA_DOMAIN/assets/js/third-party-cookie-deprecation/okta-preview-origin-trial.js" integrity="sha512-a84DxB2xXBw0XSoc/EEUdBgregdmTJAjreb5vBDxH5AKDgBQ+PA9K1sWqnASKbPow13xEx32g0q+UL2gLbVqWg==" crossorigin="anonymous" ></script> |
| https://okta.com |
<script src="REPLACE_WITH_YOUR_OKTA_DOMAIN/assets/js/third-party-cookie-deprecation/okta-origin-trial.js" integrity="sha512-qF8AFYrfELeLXx+0XpfYrACP8JiU2Gz4YWW7z4BoKlGHdAtHhjkrCGr+t1k0aDuN6ghwdiy/e1g63d8DMBQ06g==" crossorigin="anonymous" ></script> |
| https://okta-emea.com |
<script src="REPLACE_WITH_YOUR_OKTA_DOMAIN/assets/js/third-party-cookie-deprecation/okta-emea-origin-trial.js" integrity="sha512-sfBBhK5MhvH9llf/BvisWnazhYwKs1vftoapXvmDouWYJuBpaC0jCWkkKHqJ+xC9dT2UhRRqQcrrnaxMW/4OQA==" crossorigin="anonymous" ></script> |
| https://okta-gov.com |
<script src="REPLACE_WITH_YOUR_OKTA_DOMAIN/assets/js/third-party-cookie-deprecation/okta-gov-origin-trial.js" integrity="sha512-RZ7Y1tzJzR+Hb3RBEqjMkgftWEKiXIaYaZpAy3GYf6UsbmGJ6+XeoEoN/UeTZ/YWcAM39E/x5HRwHFJKOV9N/Q==" crossorigin="anonymous" ></script> |
| https://okta.mil |
<script src="REPLACE_WITH_YOUR_OKTA_DOMAIN/assets/js/third-party-cookie-deprecation/okta-mil-origin-trial.js" integrity="sha512-Oi4ujxsYu27ehMyhyz1TnyNJzkx/p5MpNJGfVB0LXizryXK80MxiMIg/wBdY+KbHXjpXDVm0SUObGDBji4amIg==" crossorigin="anonymous" ></script> |
Key components of the above sample script
SRC:
The src attribute on the script tag points to the JavaScript file (hosted on Okta servers) that generates the meta tag with the corresponding Trial token (matching the domain in the name of the file).
INTEGRITY:
The integrity attribute here represents the Subresource integrity (SRI), which is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. This can provide customers with peace of mind that the JS asset we are providing has not been modified by a malicious actor. More information regarding SRI can be found here.
CROSSORIGIN:
The crossorigin attribute provides support for CORS, defining how the element handles cross-origin requests. The anonymous value indicates that the request uses CORS headers and credentials flag is set to same-origin. More information regarding this attribute can be found here.
Determine Impact
The level of impact with regard to the Sign-in Widget and the deprecation of 3rd party cookies can vary based on how the experience has been customized. Users will only be impacted if the session has been extended using session cookies.
For example, some customers want to extend the user's authenticated session (also referred to as token renewal) to avoid prompting them to re-authenticate each time their session expires. To do this, a request is sent to the /authorize endpoint with a query parameter of prompt=none, which renews the user’s session and avoids prompting the user to re-authenticate (see a sample request here). This request is initiated manually via the app or the AuthJS SDK could be used to initiate this request (which is bundled with the Sign-in Widget). This relies on third-party cookies stored in the browser.
For the Embedded (Self-hosted) Sign-in Widget scenario, use the admin console “System Log” tool to perform the following query.
debugContext.debugData.requestUri eq "/oauth2/v1/authorize" and debugContext.debugData.Url co "prompt=none" and debugContext.debugData.responseMode eq "okta_post_message"
This should indicate the “Actor” which allows for determining if an OIDC app is initiating this request.
Another example of extending sessions to avoid frequent prompts for re-authentication is utilizing the Okta Sessions API to refresh the user's current session using a cookie. If your application relies on this API, migrate as soon as possible to avoid the impact caused by Google's third-party cookie phaseout. If unsure whether your organization utilizes this API, use the System Log query below to search for usage.
debugContext.debugData.requestUri sw "/api/v1/sessions/me"
To mitigate the impact of the deprecation of these cookies, Okta recommends updating the application to utilize refresh tokens. Be sure to enable the “Refresh Token” Grant on the application within the Admin console, and follow the sample request in the above link to ensure the required query parameters are present to successfully refresh the access token. For additional information, please refer to the instructions in our Dev Blog for how to transition to supported endpoints.
If more time is needed to make the above change, follow the steps below to embed an origin trial token script into the application. This will provide an exemption from cookie deprecation for the respective org until the end of the year.
Customizing the Sample Script for Usage
If utilizing the Self-hosted Sign-in Widget Deployment model (utilizing your own domain), here is how to embed the script in the application.
- Find your Okta domain (also known as baseUrl used in the Sign-in widget configuration)
- Based on the domain (for example, okta.com, okta-emea.com, okta.mil, etc.), select the appropriate trial token script. Using the table above, find the matching domain and select the script.
- Modify the script src domain to use your baseUrl/Okta domain.
- Add the script to the <head> section of the code base/source code. See the sample below.
- NOTE: If any consumers of your app utilize IE11, due to IE incompatibility, reference the sample that shows how to conditionally add the trial token script when the browser is not IE.
<html>
<head>
<!-- Scripts and other css imported by the customer -->
<!-- ADD Trial token script here -->
<script
src="https://REPLACE_WITH_YOUR_OKTA_DOMAIN/assets/js/third-party-cookie-deprecation/okta-origin-trial.js"
integrity="sha512-qF8AFYrfELeLXx+0XpfYrACP8JiU2Gz4YWW7z4BoKlGHdAtHhjkrCGr+t1k0aDuN6ghwdiy/e1g63d8DMBQ06g=="
crossorigin="anonymous"></script>
</head>
<body>
<!-- Sign-in Widget import/assets/module -->
</body>
</html>
Example to conditionally include origin trial token script when browser is not Internet Explorer
<html>
<head>
<!-- Scripts and other css imported by the customer -->
<!-- ADD Trial token script here -->
<script type="text/javascript">
function isIE() {
var ua = window.navigator.userAgent.toLowerCase();
var msie = ua.indexOf('msie'); // IE 10 or older
var trident = ua.indexOf('trident'); //IE 11
return (msie >= 0 || trident >= 0);
}
if(!isIE()){
document.write('<script src="https://REPLACE_WITH_YOUR_OKTA_DOMAIN/assets/js/third-party-cookie-deprecation/okta-origin-trial.js" integrity="sha512-qF8AFYrfELeLXx+0XpfYrACP8JiU2Gz4YWW7z4BoKlGHdAtHhjkrCGr+t1k0aDuN6ghwdiy/e1g63d8DMBQ06g==" crossorigin="anonymous">\<\/script\>');
}
</script>
</head>
<body>
<!-- Sign-in Widget import/assets/module -->
</body>
</html>
The script filename used should depend on the baseUrl (also known as Okta Domain). Customers utilizing this deployment model should be familiar with the baseUrl as it is used to initialize the Widget in their application (see the Embedded flow documentation).
For example, if the Okta domain is https://acme.okta.com, then the corresponding script that will need to be used is okta-origin-trial.js
If the Okta domain is https://auth.acme.okta-emea.com, then the corresponding script that will need to be used is okta-emea-origin-trial.js.
ADSSO / Custom domain (Okta-hosted) scenario
The long-term solution is to enable CookiesAllowedforURLs and add the value of the Okta org where Agentless Desktop SSO is configured in the same format <myorg>.kerberos.<okta|oktapreview|okta-emea>.com. For example, if your custom domain is acme-auth.com, the configuration would be formatted as: acme-auth.kerberos.<okta|oktapreview|okta-emea>.com
If using a custom domain with ADSSO, and prefer the trial token as a short-term remediation, utilize the custom code editor to embed the script in the <head> section of the HTML, see the sample below:
NOTE: If users will use Internet Explorer, please utilize the example which conditionally adds the script.
...
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="robots" content="noindex,nofollow" />
<!-- Styles generated from theme -->
<link href="{{themedStylesUrl}}" rel="stylesheet" type="text/css">
<!-- Favicon from theme -->
<link rel="shortcut icon" href="{{faviconUrl}}" type="image/x-icon"/>
<title>{{pageTitle}}</title>
{{{SignInWidgetResources}}}
<style nonce="{{nonceValue}}">
#login-bg-image-id {
background-image: {{bgImageUrl}}
}
</style>
<script
src="https://okta.com/assets/js/third-party-cookie-deprecation/okta-origin-trial.js"
integrity="sha512-qF8AFYrfELeLXx+0XpfYrACP8JiU2Gz4YWW7z4BoKlGHdAtHhjkrCGr+t1k0aDuN6ghwdiy/e1g63d8DMBQ06g=="
crossorigin="anonymous"></script>
</head>
...
Example to conditionally include origin trial token script when the browser is not Internet Explorer
...
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="robots" content="noindex,nofollow" />
<!-- Styles generated from theme -->
<link href="{{themedStylesUrl}}" rel="stylesheet" type="text/css">
<!-- Favicon from theme -->
<link rel="shortcut icon" href="{{faviconUrl}}" type="image/x-icon"/>
<title>{{pageTitle}}</title>
{{{SignInWidgetResources}}}
<style nonce="{{nonceValue}}">
#login-bg-image-id {
background-image: {{bgImageUrl}}
}
</style>
<!-- ADD Trial token script here -->
<script type="text/javascript">
function isIE() {
var ua = window.navigator.userAgent.toLowerCase();
var msie = ua.indexOf('msie'); // IE 10 or older
var trident = ua.indexOf('trident'); //IE 11
return (msie >= 0 || trident >= 0);
}
if(!isIE()){
document.write('<script src="https://okta.com/assets/js/third-party-cookie-deprecation/okta-origin-trial.js" integrity="sha512-qF8AFYrfELeLXx+0XpfYrACP8JiU2Gz4YWW7z4BoKlGHdAtHhjkrCGr+t1k0aDuN6ghwdiy/e1g63d8DMBQ06g==" crossorigin="anonymous">\<\/script\>');
}
</script>
</head>
...
In this case, the domain of the trial token script should match the custom domain. For example, if the custom domain is https://auth.acme.com and the default brand Okta domain is https://okta.com then the script URL to use is https://auth.acme.com/assets/js/third-party-cookie-deprecation/okta-origin-trial.js
Another example, if the custom domain is https://auth.atko.com but the default brand Okta domain is https://okta-emea.com, then the script URL to use is https://auth.atko.com/assets/js/third-party-cookie-deprecation/okta-emea-origin-trial.js
Related References
- Okta Developer Blog Post - How to Prepare Your Self-Hosted Okta Sign-in Widget to Work without Third-Party Cookies
- Deprecation of 3rd Party Cookies in Google Chrome
- Okta Developer Blog Post - The End of Third-Party Cookies
- Deprecating 3rd party cookies for Chrome users
- Preparing for the end of third-party cookies
- Session cookies via our APIs
- Embedded Sign-in Widget deployment model
