Linking Primary and Secondary User from a Native App

I am using a Native App Client where the Users can use Passwordless OTP to Authenticate.

All valid Users will exist in my CRM and so outside of Auth0 we know their email and phone numbers.

My plan is to integrate our CRM and Auth0 Users (Database Connection) and so all Users will be created in Auth0 by the CRM. So my Integration process has scope to create users, assign roles, set metadata etc. I pass their Name, Email, Mobile (stored in the app_metadata, because Auth0 won’t let me set the phone_number) etc. This connection does not allow signups.

I am then using SMS and Email Passwordless Connections to Authenticate the User. These connections do allow signups. So for a User who has not authenticated before, then Auth0 creates them as a Secondary User.

I can then call the Link User Management API method to link them to my Primary User (from the CRM) and from then on Authentication works well because there is just one Primary User with one or more identities e.g. SMS and/or Email.

The problem is, what should do the search for the Primary User and call the link?

I think the best flow would be for my Native App to do a Search of Users (via the Management API) to see if any Primary User exists with the email or phone_number of the recently Authenticated User. If it finds one, it calls the Link method and everything is sorted. If it doesn’t find the Primary User the User is not given authorisation to any thing.

However, this means giving the Native App separate, presumably Machine-to-Machine credentials to Search ALL USERS and Link them. This seems too much access.

The only solution I can think of is to write my own API which, when a User authenticates gets an Access Token, is authorised to call my API which does the Searching/Linking in a more restricted way. My API could have Client Credentials with scopes to search/link Users. I think this approach would work but it seems a lot of hassle.

Can anyone think of a better way to link my Users without giving the Native App Client such authority?