Hi Dan! Thanks for your help.
I read that topic, the thing is that the approach explained for a password grant scenario involves having the client_secret inside the client/expo app. (docs in question).
Doing the same thing server-side involves, according to these docs, to forward the IP address of the user logging in. However, if my auth0 client is set as a Native application, I am not allowed to enable the options necessary according to the before mentioned docs. Since I´m unable to forward the IP address of my users, I technically do not have brute force protection, right?
Also, I believe the client credentials flow is specifically designed for M2M situations, whereas I’m looking for the most secure way to log in my users in a public Expo App using a username/password flow.
Thanks again for your help,
Henry