I have a backend application with an API (ASP.Net Core) plus a SPA. I have managed to set-up the SPA such that the user is able to log-in via Auth0, and is able to generate an access token that can be used to authenticate with the backend application. This all works perfectly fine. The application is a multi-tenant application, so I store a user ID in the user profile that is used in the backend to make sure that the user is only able to access its own data.
Now, I want the user to access the backend API with a non-interactive 3rd party application that is not under my control. So, the user should be able to generate a token that doesn’t expire, and use this in the app. The token should be linked to a user.
It is unclear how I can manage this with Auth0. I understand that it is not safe to manage this in the SPA, and my backend application should be able to manage the token for the user, and display it only once in the SPA. This flow should be similar to Personal Access Tokens with GitHub.
How do I implement this with Auth0? Is it even possible?