fix(auth): use web app credentials for mobile ROPG refresh (#1444)

Author: clintonlunn

src/Config.ts

@@ -12,7 +12,6 @@ interface AUTH_CONFIG_SERVER_TYPE {
   issuer: string
   clientId: string
   clientSecret: string
-  mobileClientId: string
   mgmtClientId: string
   mgmtClientSecret: string
   mgmtClientAudience: string
@@ -26,7 +25,6 @@ if (typeof window === 'undefined') {
     issuer: checkAndPrintWarning('AUTH0_DOMAIN', process.env.AUTH0_DOMAIN),
     clientId: checkAndPrintWarning('AUTH0_CLIENT_ID', process.env.AUTH0_CLIENT_ID),
     clientSecret: checkAndPrintWarning('AUTH0_CLIENT_SECRET', process.env.AUTH0_CLIENT_SECRET),
-    mobileClientId: checkAndPrintWarning('AUTH0_MOBILE_CLIENT_ID', process.env.AUTH0_MOBILE_CLIENT_ID),
     mgmtClientId: checkAndPrintWarning('AUTH0_MGMT_CLIENT_ID', process.env.AUTH0_MGMT_CLIENT_ID),
     mgmtClientSecret: checkAndPrintWarning('AUTH0_MGMT_CLIENT_SECRET', process.env.AUTH0_MGMT_CLIENT_SECRET),
     mgmtClientAudience: checkAndPrintWarning('AUTH0_MGMT_CLIENT_AUDIENCE', process.env.AUTH0_MGMT_CLIENT_AUDIENCE),

src/js/auth/mobile.ts

@@ -4,18 +4,13 @@ import { AUTH_CONFIG_SERVER } from '../../Config'
 
 if (AUTH_CONFIG_SERVER == null) throw new Error('AUTH_CONFIG_SERVER not defined')
 
-const mobileAuthSecret = process.env.MOBILE_AUTH_SECRET
-if (mobileAuthSecret == null) {
-  console.warn('Mobile auth secret not found')
-}
-
-const { mobileClientId, issuer } = AUTH_CONFIG_SERVER
+const { clientId, clientSecret, issuer } = AUTH_CONFIG_SERVER
 
-// Set up Auth0 client for mobile with client secret for ROPG flow
+// Set up Auth0 client for mobile ROPG using web app credentials (confidential client)
 export const auth0Client = new Auth0.AuthenticationClient({
   domain: issuer.replace('https://', ''),
-  clientId: mobileClientId,
-  clientSecret: mobileAuthSecret
+  clientId,
+  clientSecret
 })
 
 export const isNullOrEmpty = (str: string | null | undefined): boolean => {