Generate User Token on behalf of user OR exchange token with API Management?

Hello! We are integrating our app with a third-party app that uses its own authentication system (e.g., JWT or similar). Our goal is to enable seamless authentication and user experience between the third-party app and our app without requiring the user to enter their credentials multiple times.

Here’s our proposed flow:

  1. The third-party app will include a button that opens a webview hosted by us.
  2. The third-party app will send a unique ID (encrypted) via the webview.
  3. We will decrypt this ID on our backend, verify the information, and, if correct, create a user in Auth0 (for our app) and authenticate on behalf of that user(looks like it’s not doable with auth0).
  4. Users may have different scopes based on their roles or permissions.

Here’s an example scenario:

  • The user logs into the third-party app and clicks the button to open our webview. We receive the encrypted unique ID, verify it, and authenticate the user in our system without them needing to enter their credentials again(is it doable at all).
  • If the user closes the app and returns after some time, they should be able to open the webview from the third-party app again. We will receive the same data, recognize the user as already registered, and issue a token for that user based on the trusted data from the third-party app.(basically knowing that we have to log in on that user behalf)

We aim to ensure that users do not need to enter their credentials twice (once in the third-party app and once in our webview). However, since the third-party app and our app cannot share the same SSO, and we cannot directly validate the tokens from the third-party app, we are seeking the best approach to handle this scenario via Auth0.

Questions:

  1. Does the OAuth2 flow fit this use case, or is there a more appropriate mechanism to achieve seamless authentication in this scenario?
  2. Given that we cannot use the third-party app’s tokens directly, what is the recommended way to authenticate the user in our system based on the data received from the trusted third-party provider?
  3. Is it possible to obtain a token on the user’s behalf via the Auth0 Management API without prompting the user to enter their credentials, considering the initial authentication has already occurred in the third-party app?
  4. Are there any best practices or recommended approaches to minimize user disruption while ensuring secure and seamless authentication across the two apps?

Any insights or suggestions would be greatly appreciated.

@tyf @rueben.tiow I see that you’re more active here in the forum, guys. Do you think you’d be able to answer the above question, or should I contact the support team directly? Thanks in advance and sorry if I’m being too disturbing.