We have a mobile app which uses Auth0 for user authorization. One of our clients came with an idea to have deep links sent to specific users by email - so we know basic information about each user link is sent to (name and email). The requirement is that user who clicks on a link on the phone does not need to go through UI process of signing up or signing in inside the app but just needs to be ‘automatically’ signed in.
My idea is to pre-create user on our backend with Auth0 management API on a separate database connection. The backend should also generate access and refresh token for each user which would then be stored in our backend database.
When the user opens app from our ‘magic link’ the app would retrieve pre-generated access and refresh token stored on our backend database and thus get itself signed in without the need of any UI process.
Just wanted to ask if this process is secure enough or there are any potential vulnerabilities and if there is any other way more preferred way to achieve this requirement.