I have a working application written in Angular using the Angular Auth0 SDK.
Now, I want to create a Heroku addon that will also be able to access the application using Herokus SSO mechanism for addons. So basically I want to keep the standard login using Auth0 for standarrd users but also provide access to Heroku users via the addon.
The way Heroku addons work is that my service must provide a SSO endpoint where they post some credentials data and then they get redirected to my application fully authenticated.
I am trying to find the cheapest way to implement this feature, but I am struggling finding a proper way to do it.
One path I am studying is the following:
- When the heroku user is redirected to my service’s SSO endpoint I create a M2M JWT token with some metadata that will be used to determine who is this user, and that it is a heroku user.
- The POST endpoint will redirect to the same redirect endpoint as Auth0 normally does after authenticating, in the hope that Angular Auth0 will catch this call and threat it as if it was a standar auth0 login.
- Need to disable Angular Auth0 token auto-refresh mechanism to avoid a refresh that will fail.
So what do you think? is this achievable at all? for step 2 I did not find documentation on what data I should send in the call so I am studying the source code of the angular auth0 sdk but it would be nicer to have some document that specifies this.
For point 3 I have no idea yet on how to disable the auto-refresh only for the M2M tokens…
Any help, hints or directions would be hugely appreciated!.