Our application users will be redirected to our vendor application but they should be able to use centralized authn

Users logs in to our application, there will be a link to redirect to our vendor website where they will see offers and cashback-related ads.

The requirement is to have centralized authentication and to delegate the user details & access to the vendor website and they should be able to authenticate the user and show relevant content to them.

We thought of using Auth0 for this requirement but as it is our first assignment, we have a little confusion on the implementation.

  1. The vendor does not need any access to our APIs or system but they need access to our users’ profile details (should be consumed from Auth0)
  2. Our application redirects to the Vendor application thru a link (maybe access token or something to be passed and user email or identifier along with the callback URL to return the user back to our application)
  3. Vendor application should use email or identifier and the token to get user details from Auth0 and show the offers to the user on their page.
  4. Once the user is done with the vendor page, they will be redirected back to our application using the call-back URL sent to them. The user should be able to continue to browse our application.

We need the right approach for this scenario to use Auth0. Also, how do we maintain sessions using the access token/refresh token in both applications, meaning the vendor wants the user to be logged out if the user logs out from our application.