I just spent the better part of the day figuring out why my phoenix app could authenticate through Auth0 flawlessly via Chrome and gives a fatal error (invalid_token) via Safari.
Long story short, it turns out the ‘put_secure_browser_headers’ put so many blocks in place (and Safari supports these more than Chrome) that this was a server based problem masquerading as a client issue. I am still figuring out what valid values response headers are, but I don’t think security defaults should get in the way of functionality like that.
I would suggest to make these thing more explicit and/or optional. This has been quite a frustrating day.