We use Password Grant flow in a Single Page App (SPA) because we want to have a special custom login screen for the users and therefore cannot use the implicit flow.
The issue is with refresh tokens. It is possible to obtain a refresh token with the password grant flow, but the question is where to save that token?
According to documentation, it’s not recommended to store the refresh token in the browser (localStorage nor cookies).
What’s the best practice in that case?
Refresh tokens cannot be stored in a browser context since Auth0 refresh tokens do not expire and do not rotate as of today.
Have you considered using embedded login with Auth0.js instead? It lets you use your own login page. An SSO session is created when the user logs in, so silent authentication can be used to obtain new tokens without having to rely on refresh tokens.
Thanks for the quick reply, Thameera.
What type of authorization flow is it? It’s not listed here.
Also, in the SDK documentation, stated:
client.login(options, callback): Authenticates a user with username and password in a realm using /oauth/token. This will not initialize a SSO session at Auth0, hence can not be used along with silent authentication.
Is it outdated or am I missing something?
And last question, Custom Domains feature is necessary for that. Is it supported in the Developer Pro subscription?
Thanks in advance!
Yeah, it’s not a regular OAuth flow, but specific to Auth0. There’s some more docs on the differences here: https://auth0.com/docs/guides/login/universal-vs-embedded
The Universal Login Page (ULP) recommended for the best SSO experience, but if you want to stay away from that, embedded login is the way to go. SSO should work although there can be some edge scenarios where it does not. I’ll check the documentation separately.
Custom domains has to be used for embedded login to be compatible across all browsers (eg: in cases where third-party cookies are blocked). The feature is available on all paid plans, including Developer Pro.
Just to make sure - for the simple flow of username/password with embedded login, silent login should work?
Yes, that’s right. I just tried this with a simple app and it worked. Let us know if something goes wrong.
Great, thank you very much for your help!