e4dvx (e4dvx) asked a question.
Single Sign-On Across Multiple Domains by disabling third party cookies using Okta-Auth-Js
We have implement the SSO login across Multiple domains using * token.getWithoutPrompt. GetWithoutPrompt(okta+javascript) must have access to cookies on the Okta domain via an iFrame.
Since all the modern browsers (chrome, safari) have disabled third party cookies, Is there another way to achieve SSO login and token renewal even when third party cookies are disabled.
Went through the Okta Custom domain suggestions, it may work for SPA or single domain, but our case its multiple domains. eg: Application1 is a plugin that can be plugged into any apps with different domains(Jira plugin)
Updated April 2024:
There is a method to renew tokens without using the session cookie, see this article: https://developer.okta.com/docs/guides/refresh-tokens/main/#example-request-for-an-authorization-code-and-refresh-token
Hello Chandrakala,
At the moment, Okta only offers the custom domain option to bypass the third party cookie issue from browsers. Our development teams are working on a better solution that doesn't require custom domains.
You can read more about the current situation in this article
https://support.okta.com/help/s/article/FAQ-How-Blocking-Third-Party-Cookies-Can-Potentially-Impact-Your-Okta-Environment
Radu Chiriac
Technical Support Engineer
Okta Global Customer Care
Hi Radu,
Thanks for the reply. The custom domain option to bypass the third party cookie issue from browsers is the only option for Okta-Auth-Js sdk or its the only option for all the sdks or Is there any other approaches/flows that doesn't gets impacted on disabling the third party cookies. Can you please let me know approximately when can we expect the solution that doesn't require custom domains to be configured.
Regards,
Chandra
Hi Chandrakala,
We don't have a timeframe to share yet, but we'll let you know as soon as we do.
Thanks!
Tim
Okta, Inc.
Hi Radu/Tim,
Modern browsers (chrome, safari) are blocking third party cookies by default, it affects all our end-users from accessing our many applications.
End users had to manually enable third party cookies to use our applications. Is there any other workaround to overcome the impact of blocking third party cookies on SSO rather than custom domains.
Regards,
Chandra
This article:
https://support.okta.com/help/s/article/FAQ-How-Blocking-Third-Party-Cookies-Can-Potentially-Impact-Your-Okta-Environment
also contains the following:
Note: In the event that you have multiple applications running on separate domains, all of which rely on a single Okta tenant for authentication, the best course of action will be to convert your applications to use a Federation protocol like OpenID Connect (OIDC). You can learn more about OIDC in our developer docs: https://developer.okta.com/docs/concepts/oauth-openid/
It is not clear what is meant by this. The article on OIDC does not cover this, as far as I can tell. Can you expand on how using OIDC can help resolve the problem with blocked third-party cookies?