We are building a login service for a mobile system and are strongly considering Auth0 as the OpenID Connect authentication broker, with usual authentication providers Google, Azure AD etc. After the user has logged in once using the OpenID Connect flow via an embedded web view, we would offer a PIN / biometric login option in the future. Our flows (happy paths only) would look like something like this:
FIRST LOGIN (DEVICE ACTIVATION):
1a. User is presented the Auth0 login options via a webview
2a. User logs in
3a. User is asked for a PIN and whether to activate biometric (TouchID / FaceID) login option
4a. PKE keypairs get generated on device and public key exchange is done to our backend
5a. Our backend stores the public key and links it to the user account id from Auth0
PIN / BIOMETRIC LOGIN:
1b. User enters his PIN / biometric login input in the mobile client and calls our backend
2b. Out backend presents a challenge to the mobile client
3b. The mobile client signs the challenge and returns it to the backend
4b. The backend checks the signature
5b. The backend checks from Auth0 that the linked user account is still valid
6b. The backend requests access tokens for the user (‘on his behalf’) from Auth0 and returns it to the mobile client
So my question becomes, is this approach (Steps 5b & 6b) viable and how would one go by implementing this – I could not find such examples via preliminery Googling (I may lack the proper terminology to find them). I assume it might involve storing the user’s refresh token securely in our backend and using that to generate fresh tokens?
Thank you,
- M