End of third-party cookies

Third-party cookies are now blocked on most browsers, including Chrome, Safari, and Firefox.

Your OIDC provider is considered a third party relative to your application if they do not share a common parent domain.

How Does This Affect You?

Even if your OIDC provider is treated as a third party by the browser, in most cases, this does not impact functionality. oidc-spa works seamlessly even if auth cookies are blocked.

However, if your app is allowed to set cookies on your OIDC provider’s domain, you may see a slight performance improvement during the initial load. This is because we can use silent sign-in via an iframe instead of requiring a full page reload.

The only scenario where blocked cookies significantly degrade the user experience is when both of the following conditions are true:

Your OIDC provider does not issue refresh tokens.
The access token has a short lifespan.

For example, if the access token expires every 20 seconds, your app will be forced to reload every 18 seconds, which is not ideal.

To avoid this issue, ensure that your OIDC provider shares a common parent domain with your app so that browsers do not treat it as a third party.

When Are Cookies Considered Third-Party?

Third-party cookie restrictions apply when your OIDC provider and your application do not share a parent domain.

Examples:

✅ No third-party cookie issues (Same Parent Domain)

App hosted at www.my-company.com, dashboard.my-company.com, or my-company.com/dashboard
issuerUri: https://auth.my-company.com/realms/myrealm
Parent domain: my-company.com

❌ Cookies blocked as third party (Different Parent Domains)

App hosted at my-company.com
issuerUri:
- https://accounts.google.com
- https://xxxx.us.auth0.com
- https://login.microsoftonline.com/xxx/v2.0
- https://hydra.project-name.ory.cloud/
No common parent domain → Third-party cookies will be blocked.

Google reCAPTCHA

While reCAPTCHA is not directly related to oidc-spa, its cookies are set on the login page, outside of your app. Since this is a related concern, you can find more details here:

PreviousWhy No Client Secret?NextJWT Of the Access Token

Last updated 1 month ago

Was this helpful?

How Does This Affect You?

Even if your OIDC provider is treated as a third party by the browser, in most cases, this does not impact functionality. oidc-spa works seamlessly even if auth cookies are blocked.

The only scenario where blocked cookies significantly degrade the user experience is when both of the following conditions are true:

Your OIDC provider does not issue refresh tokens.

The access token has a short lifespan.

For example, if the access token expires every 20 seconds, your app will be forced to reload every 18 seconds, which is not ideal.

To avoid this issue, ensure that your OIDC provider shares a common parent domain with your app so that browsers do not treat it as a third party.

When Are Cookies Considered Third-Party?

Third-party cookie restrictions apply when your OIDC provider and your application do not share a parent domain.

Examples:

✅ No third-party cookie issues (Same Parent Domain)

App hosted at www.my-company.com, dashboard.my-company.com, or my-company.com/dashboard

issuerUri: https://auth.my-company.com/realms/myrealm

Parent domain: my-company.com

❌ Cookies blocked as third party (Different Parent Domains)

App hosted at my-company.com

issuerUri:

https://accounts.google.com
https://xxxx.us.auth0.com
https://login.microsoftonline.com/xxx/v2.0
https://hydra.project-name.ory.cloud/

No common parent domain → Third-party cookies will be blocked.