This is a webdev question, and it is not directly related to Brave, but Brave is one of the only browsers with default block of third party cookies, so here goes:
In other browsers where third party cookies aren’t blocked this isn’t a problem, there
set-cookie works fine.
I also don’t understand how normal OAuth wold work in the iframe scenario; first of all one must use a popup - or else the iframe should be blocked by
X-Frame-Options: Deny from OAuth server - and popup requires user interaction to not be blocked.
Implicit flow (hidden iframe) won’t work because of both
X-Frame-Options: Deny and blocked third party cookies, so every hour (if default token timeout) there must be a new popup, which requires user interaction. Technically possible, but not very user friendly.