Hi folks,
I’m working on a web/mobile platform that uses Auth0 to authenticate our APIs and we have a new partner which wants a white label version of the platform that will be launched from their site. The challenge I have is that the partner wants to have a silent/seamless login to our platform, and doing a bit of research I’ve seen Auth0 used to support this, but was deprecated for excellent reasons, yet we need it. The partner doesn’t support OAuth2 now nor it’s in their plans and they don’t want to store any credentials (or proxy of them). They properly kicked the problem to our side.
I thought an option to implement this, using a machine-to-machine integration(/Application) and do a password reset each time a user wants to log in via the partner with a strong, throwaway password. This will solve the issue of storing any sensitive, but was wondering if this could trigger Auth0 protections (e.g. doing 5 password resets over a short period of time).
Another option that crossed my mind is to generate a strong password and encrypt/decrypt it with something like AWS KMS. When a customer wants to jump from the partner site to ours, I would decrypt the password and do a login via the API. This has the similar issues as the solution above, and I don’t like the idea of storing any sensitive on behalf of the these users even if the passwords are strong, auto-generated and never shared.
If it helps in any way, the users will be stored in a different Auth0 database so they don’t clash with our own users (a user could be in theory registered on both). And as a bit of context, we have created some APIs for the partner to manage accounts (including Auth0 users), so the question is purely about the login aspect.
Does any of the 2 approaches sound as sensible given the circumstances? Or is there any other approach you would suggest for this scenario?