Can I login by Python installed on a client's computer without client_secret?

I’m wanting to create a Windows desktop application written in Python, packaged in pyInstaller into a Windows .exe, then packaged into an installer .exe using NSIS. The application includes a Windows service that sends status updates to and receives commands from my server, authenticated by Auth0. The example in the documentation is as follows, but embedding the client_secret into code would be a security vulnerability.

How can I securely distribute a desktop app that logs in to Auth0 without giving away the client_secret?

from auth0.v3.authentication import GetToken

token = GetToken('myaccount.auth0.com')

token.login(client_id='...', client_secret='...', username='user@domain.com', password='secr3t', realm='Username-Password-Authentication')

Hey there!

I think that would be the best questions to repo maintainers. Can you raise it as a GitHub issue in the repo you references and share a link to it here so we can ping them. Thank you!

I don’t see how I can open an issue. The only choices are Feature request, Report a bug, or Report a security vulnerability. None of those fit. I figured this would be an implementation question, best for these forums.

I believe the answer may be that I need to use PKCE:

Or perhaps Device Authorization Flow may be better as it makes the desktop app simpler:
https://auth0.com/docs/authorization/flows/call-your-api-using-the-device-authorization-flow