Open Id Connect Token Exchange and Auth0


I am investigating if Auth0 is an alternative for the identity providers that we currently support (ADFS 4.0, AzureAD).

We have the following application setup:
• Frontend application that consists of a JavaScript angular application, and a frontend API
• Backend with a backend API

We currently have the following flow:

  1. Javascript application authenticates the user with the IDP using implicit flow and gets back an access token (token1)
  2. Javascript application calls the frontend API and passes token1
  3. Frontend API validates token1
  4. Frontend API exchanges token1 for an access token that can be used for the backend API (token2)
  5. Frontend API calls the backend API and passes token2
  6. Backend API validates token2 and processes the request

To implement step 4, we are using ‘token exchange’, see RFC 8693 - OAuth 2.0 Token Exchange

An earlier version of this draft is implemented by AzureAD and ADFS 4.0, see for instance this page: Authentication vs. authorization - Microsoft Entra | Microsoft Learn

I read elsewhere on this forum that this is not supported by Auth0, see : Token exchange multiple audiences

I have the following questions:

  1. Is the information still correct that Auth0 currently does not support such a feature?
  2. Can I find anywhere if such a feature is on the roadmap for Auth0?
  3. Do you have suggestions on how to handle our setup other than the ones already described in the post mentioned above?

Thank you,

Tim Jansen

Hey there @tim.jansen

As it has been more than a few months since this topic was opened and there has been no reply or further information provided from the community as to the existence of the issue we would like to check if you are still facing the described challenge?

We are more than happy to assist in any way! If the issue is still out there please let us know so we can create a new thread for better visibility, otherwise we’ll close this one in week’s time.

Thank you!

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.