Can anyone can elaborate on why third-party cookies are required for the checkSession call in auth0.js per https://auth0.com/docs/libraries/auth0js/v9#using-checksession-to-acquire-new-tokens?
My understanding is that checkSession works by creating a hidden iframe with src as the Auth0 subdomain (e.g. myapp.auth0.com) and then passes any tokens back to the app via postMessage. In this case, the only cookies should be first party cookies that the Auth0 subdomain (myapp.auth0.com) sets on itself since it communicates to the app via postMessage.
I looked in the source and also didn’t see any references to setting cross-domain cookies, but I obviously could have missed something (or the requirement could be from some code on the Auth0 side outside of auth0.js)