I am currently implementing Social Sign-in using Auth0 (without using Universal Login).
My issue is that I want to validate the ID Token received from the mobile side on my backend, perform the auth checks, and then issue an Access Token and Refresh Token back to the mobile app.
I’ve researched this and found a grant type called ‘Custom Token Exchange,’ but apparently, it is only available for B2B/Enterprise plans. Is there any other way to achieve this? How do people usually handle this?
At the moment, I am considering just generating a custom JWT directly from my own app/backend. Any advice?"
I am sorry about the delayed response to your question!
Regarding the matter, the specified grant is indeed available for B2B and Enterprise plans, however, there is an additional endpoint available on Essentials or Pro plans called Token Exchange for Native Social which you will be able to use to exchange tokens. However, this flow can be affected if the social provider changes their token format or if Auth0 deprecates support for the specific social login and it is not recommended.
Also, I would not recommend generating a custom JWT and handling the session in your own backend due to the fact that you will be losing access to certain Auth0 features, your API must be configured to handle your own private key accordingly and you will also experience session fragmentation where you will need to handle both an Auth0 session and the session generated by your application. Basically, instead of using Universal Login and Auth0 to handle all of these multiple sessions, you would need to handle the social login, JWT generation using the social attributes and then create/handle an Auth0 session.