Our front end application is an Angular SPA, which talks to our backend API services with id-tokens signed & obtained from Auth0. The scenario in question is like this:
- We are implementing account linking (by calling Auth0 Management API from our backend API).
- A user is already signed in with Auth0 account (with
- He needs to link a social account to his Auth0 account.
- From the SPA, we call
'google-oauth2'as connection value, in order to obtain another Auth0 idToken of the user’s social account.
- With previously cached
idToken, the SPA calls our backend API service to link the two accounts.
However, in step 4, the user’s Auth0 SSO cookie would have been replaced with the one for the Auth0 account (with
'google-oauth2' as the primary identity) when the user is redirected back to our SPA. This becomes troublesome because we need the user to continue under our SPA using his previous auth0 account (due to the fact that the new account is removed during the linking call in step 5).
So, the question is, whether it is possible to call
webAuth.authorize API with a social connection like ‘facebook’ or ‘google-oauth2’ to obtain a new idToken, without changing the Auth0 SSO cookie associated with his existing auth0 account?