Hi! I’m hoping to get some clarification and guidance with an API authentication flow that I am trying to implement in my ASP.NET C# Web API. I have some key goals:
- Use a trusted third-party’s jwt to authenticate with my own API via an Angular web app.
- Include some custom information (like an account number) in the access token so that people are limited to their own stuff only.
- Allow other clients to authenticate with my API directly for separate use cases.
Here’s the current outline as I’m envisioning it:
- Person signs in to the client web app, authenticating with trusted API that drives most of the web app.
- Token A is issued to the client web app for future requests to Trusted API.
- Client web app sends Token A to
My APIfor a second authentication step.
My APIsends a request to Trusted API, validating Token A and requesting account information.
- Trusted API sends account information response to
My APIuses “Client Credentials Exchange”(?) to get an access token from Auth0, adding custom claims.
- Auth0 responds with Token B, the access token for
My API(containing custom claims)
My APIissues Token B to the client web app for future requests to
Is this approach possible with Auth0? Right now, the only thing that is aware of Auth0 is
My API. I am also stumbling with the correct way to add the custom information into the access token since
My API will be doing it programmatically.
Any guidance you could provide would be greatly appreciated. Please let me know if I’m approaching this all-wrong too!