We finally figured out all of the reasoning.
- Safari by default does not accept cookies anymore (other browsers probably following suit soon)
- So we enabled custom domains (Auth0 → Tenant Settings → Custom Domains)
- Added the CNAME to our registrar
- Then we changed our login URL to this new domain (ex: login.mydomain.com)
- No need for cross origin cookies or cross origin verification anymore and all browsers and users can sign in