Hi all
We have API endpoint that allow retrieve basic information about user e.g. GET /tenants/{TENANT}/employees/{EMPLOYEE_EMAIL}
Each employee entity contain bunch o properties + display name and contact email address.
For sake of example let’s say that each tenant is a company that have N (100-1000) employees
To access endpoint, request must have token that have in payload scope
property that contain read:employees
value.
For now endpoint was only available for registered employees (some admins acting on behalf of the tenant) so in order to access endpoint, you need login to get token and then request endpoint with retrieved token.
Endpoint is returning some basic information that would be beneficial for each tenant employee so we’re exploring options how make this endpoint available to all tenant employees with following restrictions:
- tenant admins can still access any tenant employee information
- employee can access only its own employee entity data ( EMPLOYEE_EMAIL in path == employee contact email verification)
We don’t want create account/user for each employee in our system, we were thinking about having new component that is responsible for validating and generating one time tokens for anonymous users. At first glance Passwordless authentication looks like sth that could help us.
Idea on high level:
- anonymous employee open UI page and provide its email address
- component start Passwordless authentication Authentication API Explorer to send otp code to anonymous employee
- when anonymous employee provide code on UI we send to component
(contactEmail, otpCode)
tuple - component validate whether employee with given
contactEmail
exist in the system, if yes then we want exchange(contactEmail, otpCode)
tuple to auth token- generated token will have
contactEmail
propagated as custom claim - it will have scope
read:specific_employee
for which we will allow only data retrieval whencontactEmail from token == path EMPLOYEE_EMAIL
- generated token will have
I did some initial testing and see that Passwordless authentication won’t work out of the box because employees don’t have auth0 account so token generation with "grant_type":"http://auth0.com/oauth/grant-type/passwordless/otp"
ends with
{"error":"access_denied","error_description":"user not found"}
I was wondering whether it is possible somehow to configure flow so
- we always generate tokens on behalf of new component single email/user
- email code verification is done by
auth0
mechanism
We just want proof that anonymous employee have access to email inbox before generating token that will allow access data for given contactEmail
.
Alternatively we can implement email sending and keeping track of valid codes as part of new component, then using client credentials
flow, but ideally we would like to re-use capabilities exposed by your API and just customize it according to our needs instead of writing everything from scratch.
Thanks in advance for any help/suggestions!
Sebastian