Hi,
We are a healthcare provider application, and we’re exploring the possibility of having our users login to our application through auth0 instead of through our current in-house username/password system. However, one thing that we would still like to preserve from our current system are our custom one-time-link/passwordless user flows, and we’re trying to see if we can get them to work as-is while still being able to authenticate and work with tokens fetched via auth0.
To give more context, below are some examples of one-time-link experiences that we currently support:
- Let’s say a user of our healthcare application gets a new lab result that had been requested for them last week. Our internal systems will then generate an email with custom application-specific messaging and custom, user-specific data to send to the user, along with a clickable link which allows them to automatically log in and view their lab result.
- Let’s say a patient booked an appointment in our healthcare application. We then send a follow-up appointment confirmation email with a skin + copies along with custom links that allow the patient to reschedule/cancel their appointment up until the time that their appointment is scheduled (e.g. if the appointment is a week away, the link is valid for a week).
Both those above scenarios involve links to actions that we’re gating with what’s effectively a passwordless authentication scheme. We looked at the auth0 passwordless apis (Using Passwordless APIs), but we’re not sure that such APIs allow us enough flexibility to fully support our existing workflows as they are right now. For example, would auth0 allow us to be able to send many different types of passwordless confirmation emails for different purposes, all with their own customized skins and application-specific content?
Another option we were thinking of is if there’s a way to convert these custom links described above to translate to a call that allows our backend to authenticate a user through auth0 on their behalf (e.g. our backend will automatically do the authentication w/o having to pass in any user-specific credentials). This is because:
- such links are already generated internally by our application and sent to the user’s email
- they’ll be clicked on from the user’s email
- we should have enough context from the link being clicked to know/verify the user already
- the only remaining step would be to just fetch an auth0 token on the user’s behalf.
We haven’t been able to find any ways to achieve this approach so far from the auth0 documentation, but I was wondering if anyone else has ever run into (or solved) this type of issue before.
Thanks very much in advance!