Enabling third party applications having their own IdP to access API

Hello,
We want to allow an external customer application to access our APIs.
Below is the scenario:

  • End users login to external customer web application.
  • The web application should be able to make calls to our APIs directly from the web browser.
  • API access should happen using token issued to user and we should be able to identify user.
    Could you let me know which Oauth 2.0 flow would be applicable for this scenario? I think an Auth0 native application needs to be setup along with a customer IdP connection and this application will act as a SAML SP.
  • If customer applications work under SSO will it work there for this flow also or we need some additional setting in Auth0 for this requirement?

I looked into documentation for details but could not find all information for this scenario as one document. I am finding it difficult to join the information. Please provide steps, docs link for those steps and if possible one small block diagram for the same.

Hi @bhawna.bhati

You need a “third party app” for your external customer. See the docs here:

They should use Auth Code or Auth Code + PKCE to access your Auth0 tenant and get an access token for use with your API.

John

1 Like

Hi @john.gateley, thank you for your response.

If they use Auth Code + PKCE, then they will have to install Auth0 React SDK. Is there any solution using which they don’t have to update their application codebase.

Is there any way they can generate access token from our Auth0 server for a user already logged-in using their IdP (SSO capability). I see SAML add-on for an application does something like that. Our Auth0 has to be SAML Service provider in this case, I guess. I did not find any document with steps for generating access token if I configure our Auth0 server and their IdP using documents related to SAML.

Hi @bhawna.bhati

This is complex. You have to have a trust agreement between you and the third party. One way to implement that is with Oauth2/OIDC. There are others. But any agreement will require some implementation.

The OIDC 3rd party apps is a straightforward approach with minimal effort.

John

1 Like