I’m working on a native app with a backend component (both in node.js), and I’m trying to authenticate the native app securely. Since the native app will be publicly distributed, I want to authenticate with the Authorization Code Flow with PKCE. I’m trying to use the @auth0/auth0-auth-js package for that, but AuthClient.buildAuthorizationUrl raises a MissingClientAuthError, telling me that the client secret or client assertion signing key must be provided.
The code I’m working on will be running natively, so the client-secret is a no-go. That leaves a client assertion signing key. However, I couldn’t find any guidance from Auth0 on creating one (and keeping it secure); how can I create a client assertion signing key for use with @auth0/auth0-auth-js , and how should I handle it responsibly?
Ah, apparently this is described in the docs here. That said, this might not even be the best approach for my needs. However, opining on that is beyond the scope of this post.
Reading through your use-case, I would recommend looking through the following documentation Authenticate with Private Key JWT for more details on how to build the assertion for the desired flow. I believe you should be able to complete this using the @auth0/auth0-auth-js package.
The following documentation on Signing Keys can also be useful on the matter of JWT private keys.
Thank you, I appreciate the response. Unfortunately, it looks like Private Key JWT support is only available on the Enterprise plan; that’s actually what led me to reconsider whether it’s really the method I need.