Properly implement Resource Owner Password Grant

Hi,
I’m facing the challenge of implementing Auth0 flow in our customer’s system, but I’m not sure which flow to choose.

What we have is SPA in Angular and backend in .NET Core (API - not MVC). The business need is to have fully customized pages (e.g. login and password reset). And (what is more important imo) NOT to have any redirects to external providers during log-in process, so if I’m not wrong implicit flow and authorization flow (purely frontend approaches) don’t fit there.

I looked through a lot of articles and I think that Resource Owner Password Flow fits the best in my case. I plan to send client credentials (usernamne and password) from SPA to backend and then authenticate user from backend side using this: https://auth0.com/docs/api/authentication (Resource Owner Password request to /oauth/token)

However, I am not convinced that what I’m doing is not an anti-pattern, that’s why I have a few questions:

1. Is what I described the only one option for my business requirements, or is there something better?
2. I need to register my backned in .NET Core as an API in the Auth0, but how to register Application (spa, regular web app)?
3. As far as I know, it is possible to authenticate from the SPA without sending client_secret, but don’t know if it won’t be a vulnerability? (it would then be possible to implement login on the frontend side)

Thanks

Hi @avenhard

Joke: how do you properly implement Resource Owner Password Grant? Don’t! Use Auth Code instead.
Sorry, not funny to anyone but me I bet.

ROPG is an anti-pattern, it is not recommended.

I would suggest either Auth Code or Auth Code + PKCE, depending on if you do the token exchange in the Angular front end or the .Net backend (use PKCE for the front end exchange).

Use Auth0’s CNAME feature so that even though you are redirecting to Auth0, the domain name belongs to you.

I hope this helps.

John