Subdomain first party cookies
Hi,
I'm trying to set up first-party cookies for our app at app.ourdomain.com and running into some issues. Here's what I tried:
1. Setting up ourdomain.com in Kinde Custom Domains. It verified fine, but first-party cookies didn't persist.
2. Tried setting up app.ourdomain.com directly. Now Kinde says verification failed.
Was a bit confused by the settings page vs. docs for DNS. For
app.ourdomain.com (aiming for auth.app.ourdomain.com), I've got these CNAMEs:
auth.app -> uk.kinde.com.
_acme-challenge.auth.app -> _acme-challenge.randomnumber.ourdomain.kinde.com.
First-party cookies still aren't working with this setup either.
Any ideas what I might be missing or how to get app.ourdomain.com verified correctly for first-party cookies?
Thanks!8 Replies
Hi there,
Thanks for reaching out.
There are a few key issues to address in your setup:
1. For the custom domain to work properly, you need to include a single subdomain rather than multiple levels. The domain should follow the format
account.example.com rather than auth.app.ourdomain.com
2. When setting up DNS records, ensure they match exactly:
- Host = account (just the subdomain part)
- Record type = CNAME
- Value = The value provided by Kinde
- Leave TTL and routing policy as default
3. For multi-level subdomains, the setup depends on your DNS zones. If your zone is example.com and you want multi.subdomain.example.com, you'll need to create:
- A DNS entry for multi.subdomain
- A DNS entry for _acme-challenge.multi.subdomain
4. Once verified, the challenge DNS record must remain in place for ongoing SSL certificate renewal
5. For first-party cookies to work:
- The authentication URL and redirect URL must share the same root domain
- Update your application's environment variables and configuration files with the custom domain
- Update callback and logout redirect URLs in your Kinde dashboard settings
I recommend:
1. Start with a single subdomain like auth.ourdomain.com
2. Set up the DNS records exactly as shown in Kinde's dashboard
3. Wait for verification (can take up to a few hours)
4. Once verified, update your application configuration
For debugging, if verification fails, double-check that your DNS records exactly match the format provided in the Kinde dashboard
https://docs.kinde.com/build/domains/pointing-your-domain/
Please let me know if you have any questions or need help.hey thanks for answering - so i originally tried
auth.ourdomain.com and it successfully provisioned in kinde (see screenshot). the dns was set up correctly (at least I think), however the cookies would not persist under app.ourdomain.com and would ask you to sign in again on every page navigation
i set up the KindeProvider with the
auth.ourdomain.com url as the VITE_KINDE_DOMAIN variable:
is there anything that i did wrong?
note that our app is at app.ourdomain.com and not on ourdomain.comHi there,
I am sorry for not responding soon.
For subdomains like
auth.ourdomain.com and app.ourdomain.com to share authentication cookies, you need to set the cookie domain to the root domain .ourdomain.com
Based on the configuration you shared, you're using a frontend SDK (likely React or JavaScript based on the KindeProvider syntax).
For Next.js App Router SDK, you would set:
KINDE_COOKIE_DOMAIN=.ourdomain.com
Since you're using a frontend framework with KindeProvider, you'll need to check your specific SDK documentation for the equivalent cookie domain configuration. The key principle is that cookies need to be set to the root domain rather than the subdomain to achieve cross-subdomain authentication
The issue you're experiencing is expected behavior when cookies are scoped to the specific subdomain that made the login request. By default, your token cookie will be local to the subdomain that made the login request (e.g. auth.ourdomain.com), so app.ourdomain.com will have no visibility of this.
Please let me know if you have any more questions or need help.Hi,
Thanks for your answer. I set up
account.ourdomain.com, and Kinde now says that the domain is Provisionned, so I'll assume that piece is good.
I tried looking for a KINDE_COOKIE_DOMAIN variable (or any related cookie variable) inside of your kinde-auth-react library which provides me with KindeProvider, however I wasn't able to find such a variable. Do you know how I can set this for your kinde-auth-react sdk?Hi there,
The
KINDE_COOKIE_DOMAIN variable is specific to the Next.js SDKs and not available in the React SDK. The React SDK handles custom domains differently.
For the React SDK with custom domains, you should use the Custom Domains (https://docs.kinde.com/build/domains/pointing-your-domain/) feature which allows Kinde to set a secure, httpOnly first party cookie on your domain . This is the recommended approach for Single Page Applications (SPAs) as it means authentication state persists for full-page refreshes and new tabs.
To implement this with your React SDK:
1. Update your <KindeProvider> domain prop to use your custom domain:
<KindeProvider
domain="https://account.ourdomain.com"
// ... other props
>
2. Ensure your callback and logout redirect URLs in your Kinde settings are updated with the custom domain.
The React SDK doesn't require a separate cookie domain configuration because when you use a custom domain, Kinde can set secure first-party cookies automatically.
Please let me know if you have any more questions or need help.That worked, thanks!
Hey there,
I am happy that I could help you.
If you have any questions, please don't hesitate to ask.