Issue access token after third party API validation and include custom claims .NET API

Help
, , , ,
1

Hi! I’m hoping to get some clarification and guidance with an API authentication flow that I am trying to implement in my ASP.NET C# Web API. I have some key goals:

  1. Use a trusted third-party’s jwt to authenticate with my own API via an Angular web app.
  2. Include some custom information (like an account number) in the access token so that people are limited to their own stuff only.
  3. Allow other clients to authenticate with my API directly for separate use cases.

Here’s the current outline as I’m envisioning it:

![flow chart][1]

  1. Person signs in to the client web app, authenticating with trusted API that drives most of the web app.
  2. Token A is issued to the client web app for future requests to Trusted API.
  3. Client web app sends Token A to My API for a second authentication step.
  4. My API sends a request to Trusted API, validating Token A and requesting account information.
  5. Trusted API sends account information response to My API.
  6. My API uses “Client Credentials Exchange”(?) to get an access token from Auth0, adding custom claims.
  7. Auth0 responds with Token B, the access token for My API (containing custom claims)
  8. My API issues Token B to the client web app for future requests to My API

Is this approach possible with Auth0? Right now, the only thing that is aware of Auth0 is My API. I am also stumbling with the correct way to add the custom information into the access token since My API will be doing it programmatically.

Any guidance you could provide would be greatly appreciated. Please let me know if I’m approaching this all-wrong too!

1 Like
2

Did you find a solution to this problem?
It sounds like you need a version of this: draft-ietf-oauth-token-exchange-03

Essentially, exchange an ID token from a third party for an API access token at OAuth.

The real world physical use case is: exchange passport for room key at hotel

I don’t believe Auth0 implements this yet (if ever). However, an approach to try is to build a service that:

  1. Validates incoming trusted third party JWT from client
  2. Mint a custom API access token using private key + suitable JWT library
  3. Send API access token back to client
1 Like
3

Note: in order to mint a custom API access token you will probably need to use HS256 and the shared secret. If you create an API with RS256 there does not appear to be a way to retrieve the private key in order to mint your tokens with.