In need of input on a custom login flow

Hi, I’m part of a team developing a web app using Auth0 via a custom login and I would like to make sure that it is as secure as possible, even if we go slightly outside Auth0 recommendations.
The app is setup as a SPA in Auth0 with only password and MFA grants and CORS restricted to our domain.
It logs in using an instance of auth0-js WebAuth and more specifically though client.login and then a few axios posts to validate MFA.
An Auth0 rule adds user roles to the id_token which then is used as proof of authentication when communicating with the web app back-end that validates it through a jwt check of issuer and audience.
Is this a recommended flow when using a custom login?
I would appreciate all input.

Hi @henrikb,

Welcome to Auth0 Community!

The Classic (custom login) Experience has extensive customization options available. After choosing one of the templates, you can modify them to meet your needs. The Lock widget, if used, has a variety of both appearance and behavior options that can be changed. The Auth0.js based templates have even more flexibility, as the UI is entirely custom made and can be modified to match your application’s styles if you wish to do so.

Our recommended flow:

The OAuth2 working group has published a new general best current practices document for using OAuth2 to invoke APIs from Single Page Applications. The recommendation is now to use the authorization code grant with Proof Key for Code Exchange (PKCE), as opposed to using the implicit grant as described in the original OAuth2 spec. You can find more details in this blog post from our Principal Architect Vittorio Bertocci.

Please let me know if this is helpful!