Programmatically get access_token for a user by id

Is there any way how I can generate access_token for a user programmatically via auth0 API?

I have a portal where a user can login with username/password or Google. After successful login, I need to give a user ability to login to other APIs, but I don’t want to ask him for username / password again.

So the use case as follows:

  1. A user authenticates in a special portal
  2. Inside of this portal I have a list of services (different auth0 APIs / clients)
  3. On click, I want to generate new auth data using current access_token/id_token to use for this service

Is there any way how can I achieve it using Auth0?


1 Like

Access Tokens are issued via Auth0’s OAuth 2.0 endpoints: /authorize and /oauth/token. Calling one of these will grant you an access_token

Could you please give me more details how I can use it in this scenario? We don’t use Auth0 Lock page, we have a custom login form hosted on our domain.

/authorize requires using Auth0 site by the end user. We use custom auth form it won’t work since a user is not authenticated on Auth0 lock page.

/oauth/token has following grants:

  1. authorization_code - doesn’t work because I don’t have code from /authorize call. Maybe I can generate it using API?
  2. client_credentials - doesn’t work because it authenticates API client, not an end user.
  3. password - doesn’t work for 2 reasons. First, I don’t want to store username and password anywhere in a session. 2. It doesn’t work for Google accounts since there are no passwords.
  4. mfa-otp - doesn’t work because it has different purpose.

Am I missing something?

So you’re not authenticating the users at all with Auth0? If that’s the case, then before you could get an access_token you would have to authenticate with Auth0 first.

If I am missing something, please let me know how you’re authenticating with Auth0 and we can go from there.

We authenticate users with a regular flow (grant_type=password or callback from /authorize). At this point, a user has an access_token which we use to validate him and retrieve some information about him.

We have a list of other services which user has an access to. They also use Auth0 and share same users, but use different Auth0 APIs / Clients to access. So we cannot use the same access_token for the user we have there.

What I need is to create an access_token for the user to use in different service, but without asking a user for a password again. I need some way to create access_token for these clients via API.

Does it make sense?

:wave: @dlitsman are your APIs configured in Auth0?

I may have missed it in the messages, but what kind of application do you have? A Single Page application, a WebApp, etc? If you have a Single Page Application you can use the Implicit Grant flow.

1 Like

Let me try to describe it in other words…

We have a PORTAL. PORTAL is a place where we want a user to log in.

Also, we have different services, Let’s say Service A, Service B, and Service C. All 4 of them PORTAL and services are using Auth0 for authentication and share users, but use different Auth0 Clients.

What I want to achieve is then user log in to the PORTAL it can then get access_token for himself for service A, B, and C. However, access_token from PORTAL SHOULD work only for PORTAL and not for Services ABC. Same is true for services, access_token for services works only for one service.

So after user logs in to PORTAL it will see extra buttons like “Login to Service A(B,C)”. On click, it should generate new access_token for selected service. A user only enters username / password once on PORTAL login.

Please see mockup:

This is SPA web application. Back-end will be responsible for all keys generation

Yes. Sorry, missed this part.

Just to make it clear PORTAL also uses Auth0 for authentication, but DOESN’T use Auth0 Lock. So we host login page on our domain and use Auth0 oauth/token endpoint with password-realm grant type.

Hi @dlitsman did you figure this out? I’m looking at the same issue right now.

Hi @andrewj Unfortunately, no. We were not able to use Auth0 API for that and we have created a custom solution to resolve this issue :frowning:

One of the solutions we found though was refresh_token’s. Main Portal saves this token and then can use it to generate new auth_token’s. I don’t remember all the details… hope it will be helpful.

Anyway, I still think that Auth0 API should allow generating token programmatically using Managment API credentials. These are my users after all and I have full access to them (including changing a password and deleting them) using API keys. But for some reason, I’m not allowed to generate valid access_token… Weird. Hope they will improve it.

Thanks for the reply! Damn that’s not ideal, I will have a look at the refresh token docs. I don’t know enough about OAuth to know whether Auth0 can generate an access_token token without the user going through the OAuth flow. It looks like we will have to generate our own access_token and fall back to a custom authentication method at our APIs edge.