I want users to be able to log in with various methods - via Auth0 - to my application.
But I also want to store user info in my own database - and merge logins by ID.
i.e. if I login with a facebook account and google account, linked to the same email address (and verified) then they will end up with the same user in my application.
After reading this post: asp.net web api - OAuth and external auth providers - Stack Overflow, it seems maybe I would end up needing to configure my own auth service and convert the auth0 access token into my own ID/access_token - effectively representing a session in my application. During the conversion from auth0 token to custom token, I’d check for an existing account with email, otherwise register a new account.
Is this the most feasible way to achieve this? I have a feeling it’d be simpler to use 1 token issuer rather than 2.
Effectively this would be a double code exchange.
Redirect Auth0 Login → Receive code in URL → exchange code for Auth0 token → exchange Auth0 token for a proprietary token (relating directly to - and possibly containing cached fields of - the user in the database).
Use finally acquired proprietary token for authorization with my services.
Essentially, with this configuration I’m using oauth for handling login for me, and I use my own token for the ultimate authorisation.