I have a strange request for an application to be migrated to Auth0 without the user knowing about it. In the current state the mobile application can get and validate access tokens but they are not issued by auth0 but a custom AS.
The idea would be to divide the migration of this app in two stages:
First stage: the app would get the tokens issued by Auth0 through a backend (that would in turn use ROPG to authenticate the user with Auth0). After most users have a valid access and refresh token, we would advance to the second stage.
Second stage: with a valid refresh token (obtained in the previous stage) we would change the grant type in auth0 to access code+pkce so that the app can get valid access tokens without the users having to login again.
Does this make sense? Is there any docs regarding this process that I might have missed?