Hi! I’m hoping to get some clarification and guidance with an API authentication flow that I am trying to implement in my ASP.NET C# Web API. I have some key goals:
- Use a trusted third-party’s jwt to authenticate with my own API via an Angular web app.
- Include some custom information (like an account number) in the access token so that people are limited to their own stuff only.
- Allow other clients to authenticate with my API directly for separate use cases.
Here’s the current outline as I’m envisioning it:
![flow chart][1]
- Person signs in to the client web app, authenticating with trusted API that drives most of the web app.
- Token A is issued to the client web app for future requests to Trusted API.
- Client web app sends Token A to
My API
for a second authentication step. -
My API
sends a request to Trusted API, validating Token A and requesting account information. - Trusted API sends account information response to
My API
. -
My API
uses “Client Credentials Exchange”(?) to get an access token from Auth0, adding custom claims. - Auth0 responds with Token B, the access token for
My API
(containing custom claims) -
My API
issues Token B to the client web app for future requests toMy API
Is this approach possible with Auth0? Right now, the only thing that is aware of Auth0 is My API
. I am also stumbling with the correct way to add the custom information into the access token since My API
will be doing it programmatically.
Any guidance you could provide would be greatly appreciated. Please let me know if I’m approaching this all-wrong too!