Hey there @alfred1 !
That would be, unfortunately, an expected behaviour for browsers which technology diable storing 3d party cookies. When the user authenticates, auth0 server responds with the header: set cookie=(…) so that after a successful authentication, there are session related cookies sent from auth0 to the user browser and reused on each subsequent request to the /authorize to perform silent authentication on page refresh (works for chrome which by default doesn’t prevent this behaviour).
We use Cross-Origin Authentication.
Because cross-origin authentication is achieved using third-party cookies, disabling third-party cookies will make cross-origin authentication fail. Some browsers, such as the newest version of Firefox, disable third-party cookies by default, meaning that cross-origin authentication will not work for users on Firefox. The only way to make embedded login work for Firefox users is to use a custom domain, as described below.
It looks like, if you care to work with an embedded authentication form, and rely on a silent authentication, the custom domain for your auth0 tenant would be a solution, but please take into account it’s a paid feature.
Alternatively, you can switch to using the auth0’s Universal login page (same domain during authentication) and using refresh token rotation instead of the silent authentication.