Building an Application that Requires Auth0 API access of Users

harshilmattoo · November 29, 2023, 2:20am

Hi Friends,

I’m a bit new to using Auth0 so please bear with me here.

I’m looking to build an application in which my users are actually people who currently use Auth0 for their authentication/user management.

As part of the onboarding flow, I need these users to authorize use of their Management API (I assume via Oauth and receiving a bearer token similar to how many other apps authorize access).

I’m imaging the flow is:

(1) Have some sort of a direction to the UI to the following endpoint:
https://{theirAuth0Domain}.com/authorize?scope=openid profile email read:posts write:posts__&response_type=token&client_id={MY_CLIENT_ID}&redirect_uri={REDIRECT_LINK}

(2) Have the user authenticate (if necessary) and otherwise agree to consent

(3) Receive Bearer token from corresponding request sent back by Auth0

I’d like to verify this understanding is correct but also:

I’m a bit confused about how I can know their Auth0 domain at time of onboarding. Would I need to navigate them to some sort of Universal login to Auth0 first if they haven’t been authenticated?

Harsh2 · November 29, 2023, 1:49pm

Hi @harshilmattoo

Your assumption is right. Generally for an application to gain permission to access a user’s account, the user must personally grant authorization as per the conventional OAuth 2.0 authorization procedure.

However there is a another possibility to skip user consent for first party applications, but you would still need to have the user interact with Universal Login

See below link for more information on how to skip consent for first-party applications

https://auth0.com/docs/get-started/applications/confidential-and-public-applications/user-consent-and-third-party-applications#skip-consent-for-first-party-applications