I’m not going to be answering your question directly mainly because I don’t know what Salesforce Named Credentials is, but there are overall two basic integrations with Salesforce that I see:
Salesforce uses Auth0 as an external identity provider to authenticate users. So every time Salesforce needs to authenticate a user, it redirects the user’s browser to your Auth0 domain with a SAML authentication request. On the Auth0 side you can configure any number of connections (sources of users). This is usually used to integrate your company’s directory (e.g. Google Suite, Azure AD, or any other) and other sources with Salesforce and put any required transformation logic in the middle (by using rules). This integration is described here: https://auth0.com/docs/integrations/sso/salesforce
Auth0 uses Salesforce as the identity provider. In this scenario your apps are connected to Auth0 (they use Auth0 to authenticate a user) and Auth0 connects to any number of connections. One of them is Salesforce, so users can authenticate with their Salesforce identity into the apps. This scenario is described here: https://auth0.com/docs/connections/social/salesforce
Hope that helps a bit. Maybe someone more familiar with Salesforce Named Credentials can provide more insight here.
This is how we’re using it today. Where the “M2M App” is Salesforce and “Your API” is various systems that Salesforce integrates with. Auth0 acting as the IDP and providing Machine tokens (M2M) for Salesforce to further authorize into “Your APIs”.
This flow is a great fit for us because our users are none-the-wiser.
While SSO would be one path we can take to address this, I’m afraid that would be a longer path than we have an appetite for.
The second option you provided, if I’m reading correctly, the flow moves in the opposite direction. Inbound requests to Salesforce, rather than outbound from SF.
I’m not entirely sure which direction to go yet, but I am (on the SF side) investigating Named Credential OAuth 2.0 with OpenID, paired with an Auth. Provider registered in Salesforce.
Our goal is to persist current functionality (No user interaction during auth flow) and securely store authorization credentials in Salesforce.
If you need Auth0 to issue tokens for your API, then you’d probably take the second scenario out of the picture (unless you want Auth0 to issue tokens with users logging in with their Salesforce identity as the “subject” of the claim).
So the first question would be: do you want users or applications as the “subject” of the tokens:
If you use M2M flows (with client credentials) the user does not participate in the authorization: tokens are issued to the app, to access resources directly.
If you involve users then the tokens are issued with the user as the “subject” of the token. Users will need to participate if this is the case, usually in the form of a browser redirection to your Auth0 domain (where users can authenticate, and give consent and MFA if so configured). You can configure any connection (including salesforce itself!) as a way of authenticating users.
Unfortunately I can’t provide any help specific to Salesforce Named Credentials. Only that if you want to get a token using the client credentials flow, you’ll have to provide the client_id and client_secret, which should remain secured.
jlyon: Did you ever figure out a way to use Auth0 with Auth Providers and Named Credentials in Salesforce? We’re running into issues getting Salesforce to generate valid tokens.