Delegate platform access to customer's existing authentication setup

We have a client who already has an application’s authentication set up with auth0 and wants to give their end-users access to our API. Our impression so far is the best way to accomplish this is to provide end-users with two access tokens, one for our client’s backend services and the other for our platform’s APIs.

Some things we have considered:

  • Using token exchange to provide our platform’s token in exchange for the client’s token, however auth0 does not support this yet. Feature request is here.
  • OIDC SSO connection - we were able to get the second access token using this but it requires an additional end-user login. Potentially workable but not an ideal solution.
  • Updating either API’s authorizer to accept the other side’s access tokens. We would prefer not to do this because it feels too much like a one-off solution.

Can anyone help point us in the right direction?

Thank you!