In v2 we can no longer build out our own token request about auth0.swift HOT 9 CLOSED

Hi @ellneal, thanks for raising this.

The code credentials grant is already supported through dedicated methods for logging in with username/password (e.g. this one). Do these methods address your use case? If not, could you please provide more information about your use case?

from auth0.swift.

I'm using the client_credentials grant (with an audience and a client_secret). I can't find any explicit method that supports this unless I'm mistaken?

from auth0.swift.

Mobile apps are considered public clients, so there is no need to provide a client_secret (it can be easily retrieved from the app binary).

from auth0.swift.

So you can use https://auth0.github.io/Auth0.swift/documentation/auth0/authentication/login(usernameoremail:password:realmorconnection:audience:scope:)-5yc0w/ for this.

from auth0.swift.

Our use case here is complicated, but rest assured that we are not storing a secret in the app binary. However, we do still need to use the client_credentials grant, and I would argue that since it's a function supported by the Auth0 API, it should be possible to call it from the Auth0 Swift SDK without resorting to hacks.

This is how I built the request using the v1 SDK.

let authentication = Auth0.authentication(clientId: theClientId, domain: theDomain)
let request = authentication.tokenExchange(withParameters: [
    "grant_type": "client_credentials",
    "audience": theAudience,
    "client_secret": theClientSecretThatIsNotHardcodedIntoTheBinarySoYouNeedNotWorry
])

And this is how I currently have to achieve the same result with the v2 SDK:

extension Auth0.Authentication {
    func clientCredentials(audience: String, secret: String) -> Request<Credentials, AuthenticationError> {
        codeExchange(withCode: "", codeVerifier: "", redirectURI: "")
            .parameters([
                "code": nil,
                "code_verifier": nil,
                "redirect_uri": nil,
                "grant_type": "client_credentials",
                "audience": audience,
                "client_secret": secret
            ] as [String: Any?] as [String: Any])
    }
}

from auth0.swift.

However, we do still need to use the client_credentials grant, and I would argue that since it's a function supported by the Auth0 API, it should be possible to call it from the Auth0 Swift SDK without resorting to hacks.

Not all grants are supported for all application types. The client credentials grant is not supported for public clients. Mobile applications are public clients, so it is not supported by our mobile SDKs: https://auth0.com/docs/get-started/applications/application-grant-types#public-applications

from auth0.swift.

Our use case also isn't a public application, but thanks for your assistance anyway.

from auth0.swift.

Could you please expand on more detail why you need the client credentials grant in particular?

from auth0.swift.

We're using it as an interim solution for device authentication because the Auth0 device flow does not yet support multiple organisations.

I'm not advocating for the client credentials grant to have an explicit method added as I understand that your goal is to discourage use of that where it's a potential security risk. Hence my feature request is for the token() function (or even just the Request initialisers) to be made public so that we can build our own parameter sets when calling /oauth/token.

from auth0.swift.