We’re planning to use Resource Owner Resource Grant as explained here https://auth0.com/docs/api-auth/tutorials/password-grant#optional-customize-the-tokens, to implement Authentication in our mobile app.
We prefer this instead of Proof Key for Code Exchange (PKCE) OAuth 2.0 grant. https://auth0.com/docs/api-auth/grant/authorization-code-pkce because we want to provide a simple login form for our users to login instead of having them to redirect to Auth0.
In the Resource Owner Resource Grant, the client secret must be passed during authentication and hence must be stored in the client. What are the risks if the secret is compromised? As far as I know if the secret is compromised, there should be little damage if client is only allowed access to a specific API only.
Here is how I will setup the app:
-. Create an API called mobile API using Signing is using algorithm HS256.
-. No custom scope is provided.
Create a Non Interactive client that have access to that API only.
Or is there a simple and secure way to authenticate using username and password form in mobile apps?