We are using universal login in our application meaning that our users are redirected to Auth0 login form etc… That works like a charm.
Now we want to integrate part of our application in third party website, but their users shouldn’t see this login form from Auth0.
So what we want to achieve
User enter third party website
Third-party website in the background is making POST ( request / requests ) and retrieve token ( but they aren’t aware of that ). So everything will be configured in the third party website where part of our application will be integrated
Also, we want that this way of ‘‘direct’’ login be available only for that particular third party website meaning that we want to have these settings on a separate application in Auth0 and keep the flow and how login works for the rest of the system and our users as it is now.
Is this possible and if it is please share some guidelines.
I think some more context will be helpful to answer this one.
Are you wanting the third party to make a POST requests with the user credentials (username/pw)?
If the third party is making requests like that, do you trust them not to be logging user credentials?
I am not sure where postman comes into this, can you elaborate on that?
If you trust this third party, and you are wanting to send plaintext credentials via a POST request, then you would use the resource owner password grant, but you will notice that we explicitly advise against using this method with third party applications, as it will allow them to easily scrape user credentials. So this third party will need to be trusted as a first party and would not be advisable like you described.
Why not just have them redirect and get a token via universal login? It is very common user experience at this point, with social logins etc.
Lets go trough all your questions to make things clearer.
Are you wanting the third party to make a POST requests with the user credentials (username/pw)? Idea is that third party login without typing username and password. They will have generic user with credentials and users of third party website shouldn’t know anything about it. They need to have in a feeling that they are using the same application while they are accessing our webpage trough third party web in an iframe. So basically request will be made lets say after visitor login to third party website with their own credentials they will make POST request to Auth0 to get access token for our website and store it in localStorage for example.
If the third party is making requests like that, do you trust them not to be logging user credentials? Yes we trust them. But in general now I see that it is not idea that they make request directly especially from SPA ( Single Page Applications ) because everyone will be able to see request and request payload in their browser. What I am thinking is that they call our API and our API make this POST to Auth0. I’ll try that today. Maybe in that case I’ll get rid off CORS issue?
I am not sure where postman comes into this, can you elaborate on that?
POSTMAN didn’t come into this at all. I said that request is working trough POSTMAN, but if I invoke it trough application I’m getting CORS issues despite allowed origin ( cors ) is set properly.
Why not just have them redirect and get a token via universal login? It is very common user experience at this point, with social logins etc.
Unfortunately that shouldn’t be possible. All of them will use the same account and they will not have a username & password and they shouldn’t care and know about it. As I said they should think how our application is part of third party application and they should be logged in into our system “automatically”.