Authenticate a trusted user without password

So we have a main web application which implements its own authentication & identity system (Rails + devise). And we’re developing a new service which is embedded into the main web app. This service needs to talk to an API backend which uses Auth0. And slowly we will be migrating our main web application to Auth0 as well.

But during this transition phase, we know that the user is logged into main application when they are accessing the new service via an iframe. Is it possible to generate JWT for the user so they get logged into the new service automatically?

Hi @steve2

There are a couple of ways you can do this.

The easiest way is to hook your custom auth service into Auth0, then switch to Auth0. Auth0 is using your auth service, so users aren’t migrated yet, and you get the JWT.

A more complex way is to use a custom DB script and be creative. The backend of your web service should pass in a username and password to the Auth0 custom DB connection and get back a JWT. Do this with care, as if you are not extremely careful you will open up a security hole that lets anyone get a JWT. If you follow this approach, I’d recommend Professional Services from Auth0 to help out due to the complexity.


1 Like