I’m building the Publishing service for Lightroom that needs to communicate with API server. Since I don’t trust Adobe or Lightroom to keep users info secure I’d like to know what would be the perfect flow for this case.
My approach …
I followed https://auth0.com/docs/api-auth/which-oauth-flow-to-use and got the ‘Authorization Grand PKCE’ since, in my opinion, it is a native app that I don’t trust
Requirements for the API server are few, valid JWT, permissions (scopes) and user ID (sub?).
At this point, I have the implementation that uses id_token but that doesn’t implement refresh_token and I kind of need that since it’s not nice to ask the user to log in every 30 days and republish all synced collections.