We’re developing an app and it has to support WeChat login. Our server will get the access token from WeChat server through the authentication code flow.
Is it possible to use Auth0 to authenticate the user with this access token? How can I do that?
Wechat is immensely popular in china. I searched the forum and saw numerous requests for out-of-the-box support for Wechat login. I tried to use the custom extension to support Wechat login but unsuccessful due to a lack of information.
Exchanging an external access_token for an Auth0 token was supported at some point for a handful of identity providers, but it’s now considered a legacy flow and not being worked on anymore (it doesn’t support API authorization). Also new tenants don’t have access to it. I’d encourage you to add your feedback to https://auth0.com/docs/feedback explaining your use case. If this feature makes sense for many customers, the Product team might decide to prioritize it before others.
As for federating authentication like we do with Google, Facebook and others, Auth0 can only connect to external identity providers via standard federation protocols like OIDC, OAuth1 and OAuth2. AFAIK WeChat only supports OAuth2 for users signing in on desktop computers, but the flow does not work on mobile devices, which would limit its functionality greatly.
The problem is that WeChat’s authentication scheme uses a QR code displayed on the screen (instead of asking for username/password) that needs to be scanned with the WeChat app. This means that a user can only log in to a desktop computer or another device, but not on the phone itself (because the app needs to scan the QR code). From WeChat’s documentation:
This feature lets users log into third-party sites on their computer by scanning a QR code displayed on the page, using their mobile phone. This reduces any friction new users may encounter in using your site, saving the time and hassle of having to remember yet another password.
Would this work for you, knowing that the authentication scheme could not be used on a mobile device?
The instructions you linked to require that the mobile app is installed, and the authentication happens by interacting with the native code:
Currently, only the original login method is allowed for WeChat login via mobile application, therefore users need to install the WeChat client.
With the current Auth0 product offering, the Custom Social Connections extension could be used to create an OAuth2 connection to WeChat (although we would have to tinker to rename the parameters since WeChat doesn’t use the standard OAuth2 parameter names). But that would only work on non-mobile devices, since this uses HTTP requests (it can’t interact with native apps). I can help you with this, but since it would take time I want to make sure it would be helpful to have WeChat authentication support only on desktop browsers, which I’m guessing won’t be enough.
Support for authenticating directly with a native app (basically the option to exchange a WeChat access token for an Auth0 access token) so that WeChat authentication can be used on any device would require modifications to the product (i.e. this is a feature request), it’s not possible at this moment. So, for this, Auth0: Secure access for everyone. But not just anyone. is the best option to reach out to the Product team.
We are facing exactly the same problem, we able to setup Custom Social Connections extension with WeChat, it works well with desktop, however, we need to find a solution for mobile.
Because Auth0 does not provide local services in mainland China, it is very slow and unstable to visit Auth0 in China. I’m afraid Auth0 does not support at this moment exchanging a WeChat access token for an Auth0 token. For enterprises who want to use such IDaaS services like Auth0 in China, Authing is currently the leading identity solution providers in China. Authing has added a WeChat ecological solution, which may help you solve problems. You can visit this page to find out: https://authing.cn/solutions/wechat
I’m not too familiar with WeChat but from what I’m reading, login process involves rendering a QR code and scan/authorize it from the mobile app. If that’s the case, you can take the approach we did for Singpass and implement it on top of custom social connect.