Also to add to the above I have looked through multiple potential implementations. I am unsure whether my request using extra parameters makes it to the auth0 request? Maybe it doesn’t, however I am unable to find anything in the logs to provide me with any insight into how it is communicating with auth0.
Looking at the implementation I first mentioned you would think that the following request should provide the correct token with the values I expect:
const [request, result, promptAsync] = AuthSession.useAuthRequest(
{
redirectUri,
clientId: auth0ClientId,
// id_token will return a JWT token
responseType: 'id_token',
// retrieve the user's profile
scopes: ['offline_access', 'openid', 'profile', 'email'],
extraParams: {
audience: auth0Audience,
// ideally, this will be a random value
nonce: 'nonce',
},
},
{ authorizationEndpoint }
);
However I am not sure that the extraParams with the audience even get populated across or how they are formed. At this point I am unsure whether I spend hours down the rabbit hole looking into how this library implements this call and handles extra parameters and if those extra parameters will be ingested by auth0…
Information on the Request can be found at this link: AuthSession - Expo Documentation
Information on the Request configuration can be found at this link: AuthSession - Expo Documentation
Or should I not be trying to do this as a cohesive best practise style steps? Will I have to manually attempt to handle the individual calls of the pkce flow myself something such as the following link: Auth0 Authorization Code Flow with PKCE using Expo AuthSession — JAMES IRISH
Either way this is a real disappointment for the developer experience especially given there are multiple auth0 repos of “examples” which seem to be abandoned or deprecated with no reasoning. Am I the only person using auth0 with expo that needs to have a rule add a value to a token? Surely not? At this point an answer of “we haven’t even bothered with doing anything with expo and don’t know if it would even work” is at least a solid answer that allows me to know that this isn’t a tested situation that is expected to work