We use Password Grant flow in a Single Page App (SPA) because we want to have a special custom login screen for the users and therefore cannot use the implicit flow.
The issue is with refresh tokens. It is possible to obtain a refresh token with the password grant flow, but the question is where to save that token?
According to documentation, it’s not recommended to store the refresh token in the browser (localStorage nor cookies).
Refresh tokens cannot be stored in a browser context since Auth0 refresh tokens do not expire and do not rotate as of today.
Have you considered using embedded login with Auth0.js instead? It lets you use your own login page. An SSO session is created when the user logs in, so silent authentication can be used to obtain new tokens without having to rely on refresh tokens.
client.login(options, callback): Authenticates a user with username and password in a realm using /oauth/token. This will not initialize a SSO session at Auth0, hence can not be used along with silent authentication.
Is it outdated or am I missing something?
And last question, Custom Domains feature is necessary for that. Is it supported in the Developer Pro subscription?
The Universal Login Page (ULP) recommended for the best SSO experience, but if you want to stay away from that, embedded login is the way to go. SSO should work although there can be some edge scenarios where it does not. I’ll check the documentation separately.
Custom domains has to be used for embedded login to be compatible across all browsers (eg: in cases where third-party cookies are blocked). The feature is available on all paid plans, including Developer Pro.