Thanks jmangelo for the response. Yes, the customer is managing the users and their credentials and we don’t have control over it.
I am thinking if the below approach would work:
- We’ll share a client_id and client_secret to the customer.
- Once the user logs into the customer application, the customer application server side code will hit the auth0 token endpoint passing the client credentials, custom claims like user name, roles and scopes to generate a token.
- The customer server side code will store this generated token for the user in their backend and pass it to the browser code when required.
- The browser can make calls to our APIs using this token.
- On our API side, we’ll validate the token and decode it to get the user name, role and scopes.
Do you have any comments on the above approach?