I am looking to provide feedback of some of the problems a first time user experiences with Auth0 and Expo. I will try to be as descriptive as possible.
1. Expo includes React Native Web
Expo is a service that is meant for Mobile and Web development at the same time. The quickstart guides for expo only mentions IOS and Android Setup with no mention of web. It isn’t until you dive deep that you find out there is no native support for react-native-web for Auth0 so to fully implement Expo properly you need to build helper classes that you need to check what platform the Client is on and use the correct auth0 sdk. either normal react, or react native depending on web or mobile.
I think an Ideal solution is that the React-Native-Auth0 SDK should include a built in solution for React-Native-Web, or a new SDK called Expo-Auth0 with both support for web and mobile built in.
Please also update quickstart documentation to reflect that Web is not supported with react-native-auth0 and that you need to roll your own solution to handle web vs mobile.
2. Quickstart has no mention that you are receiving an opaque access token.
When following quickstart guides, you only use “Authorize” Function with no parameters passed to it. It should be made clear that because you are not specifying an audience. That a Opaque token is issued with a expiration time of 24 hours that cannot be changed. You can only change the Expiration time on JWT tokens which are not issued to you until you specify an audience on the Authorize function!
Clarify that portion of the quickstart guides! One of the first things you want to do as a beginner of auth0 is check to see that your tokens are expiring properly, and your app is handling expired tokens well. You cant really do this with the quickstart guide, it isn’t until you add a custom API and call an audience that you can start messing with these settings. Very confusing.
3. Validating ID Token! Parity in your team seams Terrible…
Your docs clearly state that ID Token should be validated any time you use user information, but then only some SDKs even have support to validate ID Token natively. The React-Native-Auth0 SDK only validates access token.
All SDKS should have a few validation functions. IMO there should be 3 in every SDK.
hasValidCredentials - Checks if EITHER the access token, or ID Token has expired. Currently it only checks for Access Token.
hasValidAccess - Checks if only the access token is valid.
hasValidId - Checks if only the ID is valid.
There are some really weird decisions, strange parity issues between SDKs, and just overall confusion.
Not sure if Feedback like this helps, but just airing out some initial frustrations, There may be many more, but if that ends up being the case where there is conflicting/half supported features. Then looking to other options may be more convenient than working through these frustrations on Auth0.