Regular Web Application authentication through API token

I’m trying to find what is the best authentication flow for my scenario:

I have set up a regular web application and some users go through the regular user and password login flow. This part works fine, but there is an additional requirement. There is another group of users that belong to a third party system, we want to implement a mechanism in that other web application to authenticate their users into our application, we don’t need to create an account for these type of users, we just need to know they came from that other app and allow them to navigate the site.

What I was thinking is setting up an API and to give the third party the client id and secret so they could generate an auth token. This way I know the request is coming from them but I don’t know how to let the user be authenticated in our application. I would need to set the authentication cookie for them but this can’t be done across domains.

Can I authenticate a user having an API token only? If there is an alternate approach I am not seeing, I’m open to suggestions.

Hi @diego.torres

You want to federate authentication for these users.

Instead of Username/Password, you will create a connection that connects to the third party IDP. You can do this in a couple of ways: you can create a true federated connection (OIDC, AD, SAML etc.) or you can create a custom database driven by scripts and use ROPG (Resource Owner Password Grant) in the scripts.

Whichever way you do it, you end up with an Auth0 session (cookie) and tokens.

John