I am currently evaluating Auth0 for our company, and I have hit a wall that may cause us to be unable to move forward with Auth0. I am hoping that is not the case, hence the post.
Essentially, we have need of some form of anonymous user. We are reducing friction and creating investment by allowing a user to go through a good portion of our flow before asking them to authenticate in any form.
As such, we need a way to identify that user/session and link it to the Auth0 user once they authenticate. Due to the way our auth layer works, we must have a JWT to handle authentication and authorization, even for an anonymous user.
Effectively, what this means is that I need to be able to manually generate a custom JWT with specific claims/roles/userID/etc that the client can use to authenticate until they log in through Auth0 and receive a “real” JWT.
Alternatively, if I could generate some kind of JWT with a unique ID inside it, then provide that to the client, that would also work, I believe. Custom claims aren’t strictly necessary.
Thus far I’ve not been able to find any way to do this with Auth0. Is this possible?
This may be possible, but there isn’t a turn-key feature we offer to facilitate creating anonymous JWTs.
Using an Auth0 DB connection, you would need to provide some placeholder email, which you would later change to the user’s actual email. That’s the best way I can think of with the rigid constraints you’ve outlined here.
You can create users using the Auth0 Management API v2 create users endpoint. You would need to figure out a strategy for updating the user’s email when they finally sign up. It is also important to consider the possible security implications of this type of flow.
This isn’t a a flow that Auth0 supports natively, and is going to require quite of bit of development/workaround on your end.