We have a client who already has an application’s authentication set up with auth0 and wants to give their end-users access to our API. Our impression so far is the best way to accomplish this is to provide end-users with two access tokens, one for our client’s backend services and the other for our platform’s APIs.
Some things we have considered:
- Using token exchange to provide our platform’s token in exchange for the client’s token, however auth0 does not support this yet. Feature request is here.
- OIDC SSO connection - we were able to get the second access token using this but it requires an additional end-user login. Potentially workable but not an ideal solution.
- Updating either API’s authorizer to accept the other side’s access tokens. We would prefer not to do this because it feels too much like a one-off solution.
Can anyone help point us in the right direction?
Thank you!