The requests to ‘/authorize’ always redirect to ‘*/login’ in Safari when ITP (Intelligent Tracking Prevention) is enabled before the session lifetime has ended. Are there any recommendations to allow users to stay authenticated as expected when ITP is enabled?
ITP requires users to interact with sites in order for them not to be classified as 3rd party or tracking. Interaction requires actual interaction - such as mouse movements, clicks, or typing. A visit is not sufficient.
Although it may be possible to direct users to disable ITP (Prevent cross-site tracking setting) in Safari, this likely is not a long-term solution.
Instead, using the refresh token flow to renew tokens will allow the application to bypass this particular issue around third-party cookies entirely and allow users to retain access to necessary resources. More on implementing refresh tokens in an application can be found in the product documentation at Refresh Tokens - SDK support.