We have a legacy authentication platform that we would like to slowly migrate to Auth0. Our specific use case is: 1. User logs into our platform, and is provided a session token. 2. The user then connects to an endpoint to exchange the session token for a Auth0 token. 3. The user then connects to our second endpoint providing the auth0 token to obtain data.
We specifically do not want: - The user to have to provide credentials to Auth0. Is there a way that our exchange service can get an Auth0 token for a user WITHOUT having the users password? Ideally we could use the api to obtain the token for a given user. Is this possible?
It depends, but most likely there are some integration points that would allow you to accomplish that.
For example, if by we do not want the user to have to provide credentials to Auth0 you simply mean that the user is not directly aware that Auth0 is being used then you could consider using the resource owner password credentials grant against a custom database connection. This would allow the user to continue to provide credentials directly to your application and the application would exchange those for Auth0 issued tokens. However, this would merge steps 2. and 3. of your process as session tokens would not be required or add anything of value so I suspect this may not be what you want.
If with the above you really mean that the user password would never be known and/or passed through Auth0 then you could still likely leverage custom database connections (authenticating against something else than user passwords) or client credentials flows where tokens are issued directly to client applications instead of end-users. However, this would be highly custom so a proper implementation would depend on a lot of details associated with your particular implementation so it’s hard to provide a definitive answer.