If your App is embedded in an iframe, note that the token exchange happens outside that iframe. So to get your session happening inside the iframe, requires a mechanism like cookies. Since that is now verboten with several browsers without approval, that is the issue at hand. If your App just lives on it’s own, then sure, you can manage your own cookies and not experience this problem. Only if you’re embedding your App is the transition to JWT a needed thing at this time. Since the exchange of a JWT can occur with just headers, it evades this third-part cookie issue.
1 Like