Same thought. I’m curious to know what other kinds of authentication protocols require third-party cookies to operate. Within OIDC, even more obscure/advanced features such as session management and global logout require only 1st party (the IdPs) cookies in order to function.
I guess the tradeoff being made here is just leaning into our reliance on the certificate authority system. Whereas before, with third party cookies, you might have had more flexibility with how you structure your domains.
The implicit grant, while deprecated, is still used across the ecosystem. Further, embedded apps (eg you have a portal that iframes Salesforce and Salesforce needs to be authenticated) can't redirect to the login page or open that iframe for cookies.
Front channel logout is also broken, part of the OIDC spec. It opens iframes to sites, but the sites don't get their cookies and can't write them.
