We have been using Auth0 for many years and as best practices change we are attempting to keep up. We are in the process of moving our custom login and password reset forms, hosted in our SPA to universal login. Previously we used resource owner via auth0.js and now Auth Code with PKCE with auth0-spa.js.
The issue we have is that we have Customers who integrate with our API but also need to launch our SPA for occasional user input. Currently they authenticate using resource owner flow from their server to get an access token to call our API. In Auth0 we have an Application per customer application and and an Application for our SPA. If they need to send the user to our SPA they send the access token to a servlet in our server which exchanges their access token for a delegation token for our SPA and then redirects to the SPA with the id_token and access_token in the hash. Hopefully the following sequence helps show the flow we have.
The issue is we don’t want to affect our existing customer integrations (the flow highlighted in yellow) but auth0-spa.js doesn’t parse the hash and so our API customers can’t effectively SSO to our SPA.
It would be ideal if we could send an /authorize request with a valid access token to initialise an Auth0 session and then when our SPA loads it also redirects to authorize and will find the existing session. Any advice, ideas or thoughts would be appreciated.