We have Partner systems that need to authenticate & authorise to us when they invoke our organisation exposed API’s. We currently have an API secured by Auth0 client credentials (M2M) grant flow. This provides a mechanism for the Partner to be authenticated & authorised however, additionally, our exposed API, also needs the “user context” information of the “user” that was responsible for making a call to the Partner system thru a web user interface and/or a mobile device interface.
How can the Auth0 flow be made to additionally send “user context” information to the target organisation’s exposed API (in addition to the invoking “Partner context” from the Auth0 client credential M2M flow access token)?
I found the below links on delegation grant, can you please advise, if this flow would be suitable in this scenario and if this flow is supported in Auth0?
On the other hand, if the Delegation flow is not supported in Auth0 then, what is the alternative to achieve the same outcome - the ability to authenticate/authorise the partner system and authenticate the end-user making the request in the target organisation’s exposed API?