Hey guys. I’m having some issues finding the best way to handle Username-Password authentication in my Expo App.
I’ve read the docs a lot, and it seems the only way to do this is by issuing a POST request to my authorization server with a
grant_type:password. However, this requires the
client_secret which I really don’t want my users to have in their phones.
So the other thing I was thinking was to log in my users from the server side. However, this also brings upon other issues like no brute force protection and not being able to use the PKCE flow (at least I think so).
So what is the best practice for this VERY common scenario? We find the browser based authentication against the UX we want to achieve in our app, so we would really like to keep the user inside the app and being able to introduce their credentials directly inside the app.
Since I’m using Expo, I’m unable to use the
react-native-auth0 package as it would require detaching the app.
I know this was asked before but the authorization endpoint specs changed, since it’s now asking for the
client_secret which it didn’t ask for before and we would prefer not to use a deprecated endpoint.
Any help would be greatly appreciated.