Good morning @ldeveber, to follow up on this front after gathering feedback from one of our senior engineers.
When leveraging Auth0-spa-js there shouldn’t be a call for usernamepassword/login unlike with auth0.js. Auth0-spa-js will unanimously redirect to /authorize and for checksession. Further more the usernamepassword/login is for hosted login page and co/authenticate if you are doing it cross origin. Auth0.js as it stands handles both hosted pages and non hosted pages, it tries to guess which endpoint to hit and which flow to follow.
Documentation that can help on this front is our Cross-Origin Authentication doc and the Auth0.js Github Repo documentation which I will share below:
- If you’re calling this method from the Universal Login Page, it will use the usernamepassword/login endpoint
- If you’re calling this method outside the Universal Login Page, it will use the cross origin authentication (/co/authenticate) flow
After finding out more information about your usecase from our team, when it comes to leveraging Electron in this instance our guidance we would be to use the electron’s embedded browser window for triggering opening a browser. An abstract logic workflow that would work is:
login - Open a browser call authorize with a refresh token
logout - Open the browser and kill the session, also revoke the RT
getTokenSilently - Use the RT To get the token
getProfile - use a profile, this was given to you by the idToken
Please let us know if you have any questions on this front that we can assist with and we’d be happy to help!