Hi there @dubar.jeremy ,
Google’s plans include blocking third-party cookies, to be more specific. Cookies-based flows should not cause issues if Auth0’s and the application’s second-level domain are the same.
Ref:
This will also not affect a tenant using a Custom Domain with Auth0 and if the second-level domain matches the application’s domain.
Alternatively, you can integrate your SPA application with Auth0 to relay on refresh token rotation (which it looks like you already did 
)
Please let me know if you have follow-up questions about that.