From bba9499e2f133edaa2831fc24e40277b7eb43d90 Mon Sep 17 00:00:00 2001
From: Clinton Lunn <cpl09c@gmail.com>
Date: Wed, 14 Jan 2026 15:26:11 -0700
Subject: [PATCH] fix(auth): use web app credentials for mobile ROPG refresh

---
 src/Config.ts         |  2 --
 src/js/auth/mobile.ts | 13 ++++---------
 2 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/src/Config.ts b/src/Config.ts
index 38d4602d6..663be347c 100644
--- a/src/Config.ts
+++ b/src/Config.ts
@@ -12,7 +12,6 @@ interface AUTH_CONFIG_SERVER_TYPE {
   issuer: string
   clientId: string
   clientSecret: string
-  mobileClientId: string
   mgmtClientId: string
   mgmtClientSecret: string
   mgmtClientAudience: string
@@ -26,7 +25,6 @@ if (typeof window === 'undefined') {
     issuer: checkAndPrintWarning('AUTH0_DOMAIN', process.env.AUTH0_DOMAIN),
     clientId: checkAndPrintWarning('AUTH0_CLIENT_ID', process.env.AUTH0_CLIENT_ID),
     clientSecret: checkAndPrintWarning('AUTH0_CLIENT_SECRET', process.env.AUTH0_CLIENT_SECRET),
-    mobileClientId: checkAndPrintWarning('AUTH0_MOBILE_CLIENT_ID', process.env.AUTH0_MOBILE_CLIENT_ID),
     mgmtClientId: checkAndPrintWarning('AUTH0_MGMT_CLIENT_ID', process.env.AUTH0_MGMT_CLIENT_ID),
     mgmtClientSecret: checkAndPrintWarning('AUTH0_MGMT_CLIENT_SECRET', process.env.AUTH0_MGMT_CLIENT_SECRET),
     mgmtClientAudience: checkAndPrintWarning('AUTH0_MGMT_CLIENT_AUDIENCE', process.env.AUTH0_MGMT_CLIENT_AUDIENCE),
diff --git a/src/js/auth/mobile.ts b/src/js/auth/mobile.ts
index 36e568445..aa8d06541 100644
--- a/src/js/auth/mobile.ts
+++ b/src/js/auth/mobile.ts
@@ -4,18 +4,13 @@ import { AUTH_CONFIG_SERVER } from '../../Config'
 
 if (AUTH_CONFIG_SERVER == null) throw new Error('AUTH_CONFIG_SERVER not defined')
 
-const mobileAuthSecret = process.env.MOBILE_AUTH_SECRET
-if (mobileAuthSecret == null) {
-  console.warn('Mobile auth secret not found')
-}
-
-const { mobileClientId, issuer } = AUTH_CONFIG_SERVER
+const { clientId, clientSecret, issuer } = AUTH_CONFIG_SERVER
 
-// Set up Auth0 client for mobile with client secret for ROPG flow
+// Set up Auth0 client for mobile ROPG using web app credentials (confidential client)
 export const auth0Client = new Auth0.AuthenticationClient({
   domain: issuer.replace('https://', ''),
-  clientId: mobileClientId,
-  clientSecret: mobileAuthSecret
+  clientId,
+  clientSecret
 })
 
 export const isNullOrEmpty = (str: string | null | undefined): boolean => {