My current flow is the following:
- User open a native app, using the Facebook sdk retrieves a Facebook access_token, then I exchange that for an auth0 access token.
My understanding is that /oauth/access_token has been deprecated, but I cannot figure out how to replace it with one of the /oauth/token flows.
It seems to me that a OIDC compliant alternative is not ready, yet.
In the meantime I will be happy to continue using /oauth/access_token but I have two problems with it:
- access_token is not a JWT when using /oauth/access_token
- I can’t manage to add any custom claim to the id_token
Having to hit the /userinfo endpoint to retrieve the user information for each request, is not really an option as it would defeat the whole point of using JWT in the first place.
Is it possible that as today, there is no solution?