Right now, basically we use Auth0 Lock js for user register/ and generate id_tokens, which in turn it is used by our UI via a Single Page App (SPA) to call our APIs. Works fine, and all our APIs relies on these id_tokens before granting access.
So this is new scenario we hope to support:
- User A is registered user of another Company. Let’s call this Company Foo.
- Company Foo tells us (via a backend API call) to provision a resource for a user in their system. (the user is pretty much anonymous to us, no email, no anything. Just an unique id from their system. All we do is to provision that resource, and that resource is tied to that user id from their system.
- When that user A needs to access that resource through our website’s UI, then Company Foo will do a post to our website, and give us a token that ensures that it is the user A, and his associated user Id, and then the expectation is that we should grant user access to the resource, via our UI.
Company Foo is relatively big, so we can’t really change their demands/flows.
How to create an anonymous user (seems database connection always requires an email) in Auth0, can we create one without email? Use an unique id of some sort.
How do I create a token for that User when I receive a POST on my website from Company Foo? I see management API for getting token is to get client token to access the management API, of course I can’t give that token to the user. I need a id_token like it is for other regular users. Since the communication between the SPA and our APIs are all expected to be the id_token issued by Auth0.
I read the management API extensively, and don’t see how best to support the this scenario.
Any help is appreciated.