I have what I think is a pretty straightforward OAuth-ish scenario, but I’m struggling to model it in Auth0.
My plan was:
- Get ExternalApp to use the client credentials flow to authenticate itself to my API and receive an externalAppToken that expires in 24 hours, but receives a refresh token for itself
- Depending on the ExternalApp, I want to be able to give it the auth.userToken.create permission
- If the ExternalApp has the above permission, it can hit an endpoint on my API and receive a user token that expires in 2 hours
- The ExternalApp can then use the userToken to go to the user API and fetch information about the user
Can someone point me to some docs or a blueprint of how I can accomplish this?