Also I'm wondering what sort of Cookies are required for the auth flows Hydra/Kratos supports. We ran into an issue with Keycloak where cross-domain cookies were not allowed in an iframe (client-requirement) on iOS. Does the Ory stack require session cookies for even simple auth flows like oauth2 token exchange?