I am investigating if Auth0 is an alternative for the identity providers that we currently support (ADFS 4.0, AzureAD).
We have the following application setup:
• Backend with a backend API
We currently have the following flow:
- Frontend API validates token1
- Frontend API exchanges token1 for an access token that can be used for the backend API (token2)
- Frontend API calls the backend API and passes token2
- Backend API validates token2 and processes the request
To implement step 4, we are using ‘token exchange’, see https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/
An earlier version of this draft is implemented by AzureAD and ADFS 4.0, see for instance this page: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios#daemon-or-server-application-to-web-api
I read elsewhere on this forum that this is not supported by Auth0, see : Token exchange multiple audiences
I have the following questions:
- Is the information still correct that Auth0 currently does not support such a feature?
- Can I find anywhere if such a feature is on the roadmap for Auth0?
- Do you have suggestions on how to handle our setup other than the ones already described in the post mentioned above?