After following up with our support team they were able to break it down clearly:
Normally auth0.js runs on your domain e.g. contoso.com
which is different from the auth0.com
domain. So the iframe
is created in your app and calling auth0.com
which sets a a cookie that’s considered as a third party cookie.
Please let me know if this helps clear things up, thanks!