We would currently use Auth0 for login & user management, but have a separate (legacy) OAuth2 authentication server that provides users logged in through Auth0 with access tokens for our high performance Resource Server. It is a delegated setup, if you understand what I’m saying.
Ideally, we would like to fully use Auth0, also to generate the AccessTokens for this primary Resource Server, and also handle the refreshing, etc. However, our end-users typically never login again after they have connected a third-party to their account. Therefore, migrating from the existing Authentication Server to Auth0 by requiring users to provide consent in the Auth0 consent dialog is very much not an option.
We would like third party applications to just keep on refreshing the access tokens, and get a new Auth0 JWK access token once the migration kick in. This would involve:
- importing existing clientID & clientSecrets.
- being able to perform the refresh flow against Auth0 using the existing external (non-Auth0) refresh_tokens, by importing existing user-consents on-demand from the legacy authentication server.
I’ve highlighted the things that I think are not possible yet. I know this sounds far-fetched, but I would really like to know whether this can become possible in the future, or whether anyone sees an alternative path.