How to add an authorized application to a user using Resource Owner Password?

Hello auth0 community,
I would like to add an Authorized application to a user similarly than in this post - How to Add an Authorized Application to a User?

However in this post an Auth0 employee says that we “don’t need to (nor you can) manually add “Authorized Applications” to the user.” but in my case I feel I really need to. Here’s why:

I’m using auth0 to sync users sessions on two platforms bubble and tribe that I have connected together for the web app I’m building.
When a new user signs up on bubble, I use API calls to create an auth0 user and a tribe user for this user.
Once a user is signed up, they have access to the bubble section of the platform but if they try to go to a tribe.so section of the platform, they are asked to login again. Only then the app appears on their authorized applications on the Auth0 dashboard and they can go from the bubble section of the web app to the tribe section (or vice-versa) of the web app without being asked to login again.

To try and solve this problem I’ve used the the Authentication API and the “Resource Owner Password” flow to get a user token when the user signs up. It properly logs them in on Auth0 but since it doesn’t add any app in their “Authorized applications” they are still being asked to login when they try to go to the tribe section of my app which doesn’t work for us as a user experience.

Where I’m confused is that in the documentation which can be found here User Consent and Third-Party Applications, it is mentioned that “When using the Resource Owner Password Flow, no consent dialog is involved because the user directly provides their password to the application, which is equivalent to granting the application full access to the user’s account.”

Therefore I am wondering if I am doing something wrong and if there is a way to make the application appear in a user Authorized application when using the “Resource Owner Password” flow.

Thanks in advance for the help and suggestions

Hi

I think a completely different approach is called for.

You have two applications that you need SSO between, and they share a user database.

Use the OIDC flow, not ROPG, and this gives you the SSO behavior you need.

Put the authorized appications in the user’s app_metadata and from there you can add it to the ID token or the access token.

This should give you everything you need, and is a much simpler architecture.

John

1 Like

Hi John,
Thanks a lot for your answer and pointing me in the right direction. That’s quite useful to know that I was doing this the wrong way.

I’m however not too sure how to implement what you suggest.
I’ve looked into OIDC flow and it looks like there are a lot of possible route that I can take, which API call woudl you suggest I use?
Also, I don’t seem to find any documentation on how to add authorized applications in the user’s app_metadata. Would you mind pointing me toward the right resources?

Thanks so much in advance.

Hi Pierre

To see which flow you use, check this:

It will most likely be Auth Code or Auth Code + PKCE

The “Authorized Applications” is something you’ll have to implement yourself, with a field in the user’s app_metadata containing all applications they are authorized for, and adding this data to the ID token. The app should then verify the ID token and look at this field.

Or if you can protect at an API level instead of an app level, use the Access token instead.

John

1 Like

Thanks for helping on this one John!

Thank you John and Konrad.
I’ll work on this this weekend.
Are there some best practice to in the way to write the key/value pair in order to add Authorized applications to the user’s app_metadata? like “Authorized Applicaions”: " { “Audience” : “https://{domain}.auth0.com/userinfo” } " or “Authorized Applicaions”: “Application name” or Authorized Applicaions": [List of applications ID, Audience, etc]…
I can see a lot of ways to do this but can’t find guidance online so I’m a bit lost.

Thanks so much for all the help.