I have my frontend running on "https://example.com" and backend running on "https://api.example.com".
From backend, the login endpoint "https://api.example.com/auth/login" is returning refresh token in response headers as below (i can see it in browser network tab):
Access-Control-Allow-Origin:https://example.comCache-Control:no-cache, no-store, max-age=0, must-revalidateSet-Cookie: refreshToken=eyJhbGciOiJIUzI1NiJ9...; Path=/auth/refresh; Domain=example.com; Max-Age=31536000000; Expires=Thu, 23 Oct 3023 00:57:41 GMT; Secure; HttpOnly; SameSite=Laxother headers....But when frontend makes the call to refresh access-token then request doesn't contain the refresh token. Browser doesn't append the token in the request and server rejects it with 403. Below are the request details for refresh token:
Request URL:https://api.example.com/auth/refreshRequest Method:POSTStatus Code:403 ForbiddenRemote Address:xxxxxReferrer Policy:strict-origin-when-cross-originRequest Headers:
:authority:api.example.com:method:POST:path:/auth/refresh:scheme:httpsAccept:application/json, text/plain, */*Accept-Encoding:gzip, deflate, br, zstdAccept-Language:en-GB,en-US;q=0.9,en;q=0.8Content-Length:0Origin:https://example.comPriority:u=1, iReferer:https://example.comWhy browser is not appending or storing the refresh token when it is coming from same sub-domain and domain attribute is also set in refresh-token cookie?
The cookie is also not visible in browser's dev tool.