Need advice on implementing SSO with a partner, that is not SAML or OpenID

Hi al,

Want to get some ideas on how to implement the following requirement.

My app is a react SPA, that uses Auth0 Universal Login to authenticate users.

Recently, we have a partner who wants to embed my web app within their mobile app, using embedded WebView on mobile. The partner wants to use the OAuth Token to bypass the log in flow. Basically, our app will have some unauthenticated page, to receive the OAuth Token, and we want to use the OAuth token to read the user information (email address) and log in the user silently, i.e. no prompt for email / password.

The partner does not support SAML or OpenID, and passing in the OAuth Token is a hard requirement.

My current idea is that with the OAuth token from the partner, I can figure out the Auth0 user on my backend. Then I want to send back cookies to simulate the user is signed in already. I checked social providers, and slient authentication but did not find anything similar.

Want to hear some advice on this from the community.