Auto Refresh Access Token and 3rd Party Cookies issues



I’m working with the @okta/okta-react package and have wrapped my react-router routes with the SecureRoute component. Everything works as far as initial login, redirect, storing id/access Tokens and setting auth object on the wrapped component’s props.

I then use those accessTokens when a user takes an action that causes not-GET calls to one of our backing services.

However, I’m running into issues with the autoRefresh of the access tokens, in that the iframe makes the behind-the-scenes call to the authorize endpoint, but on return the cookies are not able to be set, unless I explicitly tell my browser to accept 3rd party Cookies at the okta (or during dev work oktapreview) domain. I cannot reliably expect all of my customers to turn on 3rd party cookies for okta.

Does anyone have any guidance, or have any idea about common issues for this flow?