Authenticate as a generic Azure user

kendyl.drayer · January 22, 2024, 10:21pm

I have this scenario:

Our product logs in and captures the access token to be able to hit an API. When a user logs in through Azure AD, the API is able to find the Microsoft identity and do some Graph API requests (notably, upload a document to SharePoint).

We have a second product, the Client Portal, that does not use Auth0 to authenticate. The Client Portal is for our customers’ clients, so a different pool of users. A client user can upload a document to the Client Portal. We want these uploads to send an API request and ultimately upload to SharePoint.

I have been struggling to find a way to authorize a generic user. I can get an access token for the Auth0 Management API, but our product API is expecting to be able to get a Microsoft user from the access token. I looked into the Authorization Code Flow but I don’t want to show the client user any kind of UI because they aren’t part of the main product. Has anyone solved a problem like this?

dan.woda · January 24, 2024, 4:33pm

Hi @kendyl.drayer,

How do you validate the requests of your clients users that don’t log in to auth0? Do they receive a token after they log in?

It sound like you could possible set the Client Portal up as a machine to machine application in the Auth0 dashboard, and use the Client Credentials Flow to request a token and authenticate the requests to your backend API.

Let me know if I’m missing something.

kendyl.drayer · January 31, 2024, 3:34pm

For our case, we ended up writing something to generate a token as needed that authenticates with Microsoft in our API. We realized it didn’t have to talk to Auth0.