Can anyone can elaborate on why third-party cookies are required for the checkSession call in auth0.js per Auth0.js v9 Reference?
My understanding is that checkSession works by creating a hidden iframe with src as the Auth0 subdomain (e.g. myapp.auth0.com) and then passes any tokens back to the app via postMessage. In this case, the only cookies should be first party cookies that the Auth0 subdomain (myapp.auth0.com) sets on itself since it communicates to the app via postMessage.
I looked in the source and also didn’t see any references to setting cross-domain cookies, but I obviously could have missed something (or the requirement could be from some code on the Auth0 side outside of auth0.js)
After following up with our support team they were able to break it down clearly:
Normally auth0.js runs on your domain e.g. contoso.com which is different from the auth0.com domain. So the iframe is created in your app and calling auth0.com which sets a a cookie that’s considered as a third party cookie.
Please let me know if this helps clear things up, thanks!
Thanks for the quick followup; that makes sense. In retrospect, I realize that my understanding of what “third-party cookies” were was wrong, and I had assumed that they were cookies that one domain was trying to set on a different domain (slightly connected to a cross-origin request with withCredentials set). Now that I understand that third-party cookies are just any cookies set by child iframes with a different domain, the documentation makes a lot more sense. Thanks!