Auth0 Home Blog Docs

How to generate a token for user (without having user login)

jwt
auth0
management-api

#1

Background:
Right now, basically we use Auth0 Lock js for user register/ and generate id_tokens, which in turn it is used by our UI via a Single Page App (SPA) to call our APIs. Works fine, and all our APIs relies on these id_tokens before granting access.

So this is new scenario we hope to support:

  1. User A is registered user of another Company. Let’s call this Company Foo.
  2. Company Foo tells us (via a backend API call) to provision a resource for a user in their system. (the user is pretty much anonymous to us, no email, no anything. Just an unique id from their system. All we do is to provision that resource, and that resource is tied to that user id from their system.
  3. When that user A needs to access that resource through our website’s UI, then Company Foo will do a post to our website, and give us a token that ensures that it is the user A, and his associated user Id, and then the expectation is that we should grant user access to the resource, via our UI.

Company Foo is relatively big, so we can’t really change their demands/flows.

My Question

  1. How to create an anonymous user (seems database connection always requires an email) in Auth0, can we create one without email? Use an unique id of some sort.

  2. How do I create a token for that User when I receive a POST on my website from Company Foo? I see management API for getting token is to get client token to access the management API, of course I can’t give that token to the user. I need a id_token like it is for other regular users. Since the communication between the SPA and our APIs are all expected to be the id_token issued by Auth0.

I read the management API extensively, and don’t see how best to support the this scenario.

Any help is appreciated.


#2

Sounds to me like this isn’t really something you need to do on the Auth0 side of things, just on your server side. Just like Auth0 is an identity provider, so is the system used by Company Foo. I don’t know what sort of token they’re using, but if it’s OAuth2 or OpenID Connect, you could use almost the same code you use to validate Auth0 sessions, but now they’re Foo sessions (love that name).

TL;DR: as authentication is already done by Company Foo, you don’t need Auth0 to step inbetween anymore. Validate the token from Foo just like you would validate an Auth0 token.


#3

Well, company certainly don’t use JWT.
While it is possible to change of all of our APIs (across almost a dozen micro services) to enable a new authentication scheme (a new type of token) as you suggested, but it is also seems very risky.
It would be better we can just generate a id_token for this user (it is change one place instead of many places, and change the security model). So are you saying there is no way that Auth0 allows their tenants to do this? (Seems like a basic feature.).


#4

Well, you’re having me work in the blind here, since I have no idea how that company tries to authenticate, or how your service handles authentication. Is it an SPA? Is it a regular web app? What OAuth flow are you using?. I would hope Company Foo uses some sort of industry standard, then we could easily work with it. I could imagine them using SAML? If that’s the case, Auth0 has native support for that as a connection.

Now, let’s assume nothing like that is the case and Company Foo decided to roll their own system. Auth0 is designed to authenticate users through a variety of means, but if I understand you correctly, you’re asking it to not authenticate anything and just sign an access token (at least I’m assuming your API uses an access token). Without changes to Company Foo’s systems, that’s simply impossible to do in a direct way.

But, since you can control your own servers, you could create a middleware service that Company Foo does a POST request to. Then, using a Client Credentials grant, you could have the middleware service authenticate with Auth0 and get an access token, including the correct audience (if that’s what you need). Then, use the access token as you please.

That is a bit of a hack, though, and I really would hope Company Foo uses something like SAML.