Passwordless Token generation for anonymous users

Hi all

We have API endpoint that allow retrieve basic information about user e.g. GET /tenants/{TENANT}/employees/{EMPLOYEE_EMAIL}
Each employee entity contain bunch o properties + display name and contact email address.
For sake of example let’s say that each tenant is a company that have N (100-1000) employees

To access endpoint, request must have token that have in payload scope property that contain read:employees value.
For now endpoint was only available for registered employees (some admins acting on behalf of the tenant) so in order to access endpoint, you need login to get token and then request endpoint with retrieved token.

Endpoint is returning some basic information that would be beneficial for each tenant employee so we’re exploring options how make this endpoint available to all tenant employees with following restrictions:

  • tenant admins can still access any tenant employee information
  • employee can access only its own employee entity data ( EMPLOYEE_EMAIL in path == employee contact email verification)

We don’t want create account/user for each employee in our system, we were thinking about having new component that is responsible for validating and generating one time tokens for anonymous users. At first glance Passwordless authentication looks like sth that could help us.

Idea on high level:

  • anonymous employee open UI page and provide its email address
  • component start Passwordless authentication Authentication API Explorer to send otp code to anonymous employee
  • when anonymous employee provide code on UI we send to component (contactEmail, otpCode) tuple
  • component validate whether employee with given contactEmail exist in the system, if yes then we want exchange (contactEmail, otpCode) tuple to auth token
    • generated token will have contactEmail propagated as custom claim
    • it will have scope read:specific_employee for which we will allow only data retrieval when contactEmail from token == path EMPLOYEE_EMAIL

I did some initial testing and see that Passwordless authentication won’t work out of the box because employees don’t have auth0 account so token generation with "grant_type":"" ends with

{"error":"access_denied","error_description":"user not found"}

I was wondering whether it is possible somehow to configure flow so

  • we always generate tokens on behalf of new component single email/user
  • email code verification is done by auth0 mechanism

We just want proof that anonymous employee have access to email inbox before generating token that will allow access data for given contactEmail.

Alternatively we can implement email sending and keeping track of valid codes as part of new component, then using client credentials flow, but ideally we would like to re-use capabilities exposed by your API and just customize it according to our needs instead of writing everything from scratch.

Thanks in advance for any help/suggestions!