Token Exchange implementation

We are building a healthcare application in an embedded browser in an Electronic Medical Record (EMR).

We are looking to implement an auth flow where (using SMART on FHIR) the browser fetches an auth token from the EMR, forwards it to our server, our server validates the token, our server maps the token’s corresponding EMR identity to an identity in Auth0, then our server issues a new Auth0 user token for the browser. I understand that this could be implemented using on-behalf-of token exchange, or a management API that issues individual user auth tokens (which I was not able to find).

What does Auth0 recommend to implement this auth flow? In particular, I was not able to find a way to issue a new Auth0 user token from a trusted server given an Auth0 ID.


Hi @jdong-amb,

Welcome to the Auth0 Community!

Auth0 doesn’t support user impersonation (getting a user token from a management API) and the flow you describe isn’t going to be readily available.

Hope this helps!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.