Any Solutions for Safari+ITP with token.getWithoutPrompt()?

As we all know, Safari’s ITP blocks 3rd-party cookies. The token.getWithoutPrompt() method relies on cookies being sent in an iframe to have an active session and retrieve a token. I have not found any work-around for this. Are there any updates?
My current solution is to detect when this fails and fallback to a full-page redirect. This is a poor UX, but luckily only affects Safari users. It also requires additional work in our app to handle this flow. I could use a popup, but those are unreliable.

In reading about ITP, it looks like there are some cases where I thought that 3rd party cookies would be sent. For example, if you interact with a site directly as a user, then I thought 3P cookies would be sent for 24 hours. I likely misunderstood, because my testing of this didn’t work.

I’m curious to know what if anything others are doing to get around this problem.

I have looked into Safari’s storage API with no luck. It allows an iframe to request storage access, which also grants cookie access. But it requires a user gesture, so it can’t be used within a hidden iframe.

I also looked into the idea of using a session Id to retrieve a token, so the cookies would not be required. But I can’t find a way to access the session id of an active session in the main window or after a login redirect. It doesn’t seem like I ever get access to the session id.

Key recommendations are:

  1. Do not use getWithoutPrompt. Either use refresh tokens to fetch new tokens for a user OR do it via a redirect instead
  2. Add a custom domain to you Okta org and host your application from the same domain (TLD+1). This is discussed in our FAQ about 3rd party cookie blocking: FAQ: How Blocked Third Party Cookies Can Potentially Impact Your Okta Environment | Okta Help Center

Thanks andrea, my responses to that are:

  1. Refresh tokens don’t solve the problem because how do we get refresh tokens? Same problem as getting tokens to begin with. Also for a web app, tokens shouldn’t be stored in the browser. Doing it with a redirect is the “normal” way, but if I have a dashboard with 10 components, each requiring their own token to call their own API, I obviously can’t let all of them redirect at the same time. How can I collect all the tokens I need in this scenario?
  2. This is fine except that okta doesn’t support multiple domains for a tenant. I have a case of two domains for the same company, and my web app lives on domain A, while the auth servers live on domain B. I can’t move either, so my only option is to have okta also support domain A so they can live on the same domain.