Token for Desktop Application

nartz1 · April 11, 2020, 12:22am

Hi -

If i have a desktop app - and the user log’s in using username / password - I am currently using Auth0-java.

As mentioned in the docs, it says the access token after a successful log is …“useful for securing an API, but not for authenticating a user”.

Inotherwords, should this access token not be stored as a means to evidence successful login, and to keep the user “logged in” i.e. for 30 days? If not, for a desktop app, what is then recommended?

jatinvaidya · April 13, 2020, 11:49am

Welcome back @nartz1. For desktop apps, the Authorization Code Flow with PKCE is recommended. The id_token received by the app is considered an evidence of a successful authentication. The access_token is to be used as as a bearer token while making an API call.