Hello,
I am investigating if Auth0 is an alternative for the identity providers that we currently support (ADFS 4.0, AzureAD).
We have the following application setup:
• Frontend application that consists of a JavaScript angular application, and a frontend API
• Backend with a backend API
We currently have the following flow:
- Javascript application authenticates the user with the IDP using implicit flow and gets back an access token (token1)
- Javascript application calls the frontend API and passes token1
- Frontend API validates token1
- Frontend API exchanges token1 for an access token that can be used for the backend API (token2)
- Frontend API calls the backend API and passes token2
- Backend API validates token2 and processes the request
To implement step 4, we are using ‘token exchange’, see RFC 8693 - OAuth 2.0 Token Exchange
An earlier version of this draft is implemented by AzureAD and ADFS 4.0, see for instance this page: Authentication vs. authorization - Microsoft Entra | Microsoft Learn
I read elsewhere on this forum that this is not supported by Auth0, see : Token exchange multiple audiences
I have the following questions:
- Is the information still correct that Auth0 currently does not support such a feature?
- Can I find anywhere if such a feature is on the roadmap for Auth0?
- Do you have suggestions on how to handle our setup other than the ones already described in the post mentioned above?
Thank you,
Tim Jansen