I have an API defined on Auth0 which represents Resource Server Endpoints.
I have native clients for iOS & Android. The app supports both logged in & non logged in Users. Logged in users use case is quite straight forward, the request is authenticated against the user’s auth token.
However, in case of non logged in Users, I want the client apps to send some sort of access token to identify them as it is. But as there is no Client Credentials Grant for native app, how can this be achieved.
I looked at PKCE flow, but it doesn’t seem to be helpful as it redirects /authorize call to user login, which in first place not the scenario of this use case.
In general a native application will be considered a public client and as such will not be able to perform client authentication which is a requirement for client credentials grant. Basically, anything that can be made available to the application running on a user device can also (with sufficient determination) be extracted from that client application which would result in your server not knowing if a request was from your real client application or an attacker acting as it.
If you have endpoints that can be called without a notion of an end-user token and from a public client then I think you’re pretty much in an arms race kind of situation; you can implement something to deter one-level of attackers, but that is ultimately not foolproof. In this situation you may need to question if you want to enter that race or just accept that you might as well consider focusing on stuff that you should likely implement either way and that may mitigate part of the situation. In particular, you may consider applying an heavier rate limit policy for requests that are not end-user authenticated.