I'm using the okta sign-in widget to authenticate users within our application. The issue is that when 'prevent cross-site tracking' is checked within Safari (FF has a similar setting), login still works but single sign-on, MFA 'do not challenge' and Okta session creation does not work. If I uncheck the setting everything works as expected.

With Chrome, I'm able to use the silent (no browser url redirection) method to retrieve an access token from Okta. The browser can load the Okta session, and uses MFA feature "Do not challenge me on this device again" perfectly fine.

However, with the same code Safari doesn't allow me to load the Okta session nor does it ever stop challenging the user based upon the device they are using (when the option is checked.. totally fine when not checked).

So I switched the code to use the response.session.setCookieAndRedirect('http://mysite/login') pattern thinking that a redirect to Okta's site would address the issue.. I can see the browser redirecting to Okta and then back to my site with the access token in the code parameter, however, same result.

One of the things I read said that the user has to 'interact' with the 3rd party site.. not exactly sure what 'interact' means though.. it seems to mean more than 'redirecting through' the site.

Anyone have a better pattern for this that will work within browsers that have stronger third party cookie protection (e.g. FF and Safari)?

It seems the only way to work around it is to apply a custom domain to your Okta tenant and application so they match i.e. Okta domain is matt.okta.com and application domain is app.matt.com. It is no longer a 3rd party cookie as it is associated with Okta therefore making it less then a risk.

You can find more about it here:https://support.okta.com/help/s/article/FAQ-How-Blocking-Third-Party-Cookies-Can-Potentially-Impact-Your-Okta-Environment?language=en_US