Support configuring endpoint

[lionhylra]

Checklist

• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

In our use case, we use different endpoints under different domain. For example, we want to use "https://www.mydomain/authorize" to open ASWebAuthenticationSession to login, but use "https://api.mydomain/token" for token exchange and session renewal.

By doing so, we can add extra logic(e.g. rate limiting, firewall) in our own endpoint and then redirect to auth0 endpoint.

Currently, the SDK only support configuring domain, and all endpoints are hardcoded: the path /authorize and /oauth/token are not configurable.

Describe the ideal solution

Can we make the SDK support customising the url for each endpoint? For example:

let webAuth = Auth0.webAuth(
    clientID: "",
    authorizeEndpointURL: "https://www.mydomain/authorize",
    tokenEndpointURL: "https://api.mydomain/token",
    ...
)

We can make this initialiser as an alternative and optional.

Alternatives and current workarounds

We create a new api and configure redirect rules, for example:
"https://auth.mydomain/authenticate" --> redirect to "https://www.mydomain/authenticate" --> redirect to "https://custom.domain.auth0app.com/authorize"

"https://auth.mydomain/token" --> redirect to "https://api.mydomain/token" --> redirect to "https://custom.domain.auth0app.com/oauth/token"

Currently, our API front door are "https://www.mydomain/authenticate" and "https://api.mydomain/token", used by both web and app. We have our own infrastructure configurations for those two. Ideally "https://auth.mydomain" can be the only front door in future but requires great amount of efforts to integrate. So currently "https://auth.mydomain" is only created for Auth0 SDK.

Additional context

We've thought of using "https://custom.domain.auth0app.com" directly with SDK, but the domain is not owned by us, thus we can't configure rate limiting, bot detection on top of it.

[Widcket]

Hi @lionhylra, thanks for raising this. The Auth0 endpoints are already rate-limited, and there are a range of security offerings available such as bot detection, breached password detection, brute-force protection, among others.

Also, allowing to change the endpoints would potentially allow the SDK to be used with other identity providers. Not sure this is something we want to support.

[Widcket]

Closing, as this is not something we'll be pursuing.