I am extremely confused as to what kind of sign in flow should be used by an auth0-powered application using React Native, or really any mobile app at all.
- I have my application working fine with the
- However, the “grant types” settings of my app say that “Using Password or MFA grant types with public clients is not recommended”. Since my app seem to be a “Public App”, I had to turn that off.
- The recommended solution instead seems to be a PKCE flow
- The PKCE flow is super confusing and while I have it semi-implemented, it appears to always require showing a webview for the user/password form
Is this really how it should be? Can I not use send a user/password to get a token, or at least the code so I can get a token?
On top of all that,
- The Android SDK seems to use PKCE by default but also to send a username and password. How is this possible? Is the documentation omitting something?
- Auth0’s own React Native library uses password realm. If it’s not recommend, why is it used by the library and in the only login example?
- A JS example of PKCE implementation posted in a previous discussion conveniently leaves our the function on how an Auth URL produces a code, not making it clear what needs to be done and if there’s an alternative to a separate window/frame
I have so many questions and the more I read the more confused I get. Previous discussions on the subject don’t seem to help much as they only repeat things already said with no practical examples or reasonings.
What is the correct login flow for a public React Native application that wants to have its own login form?