We are building a healthcare application in an embedded browser in an Electronic Medical Record (EMR).
We are looking to implement an auth flow where (using SMART on FHIR) the browser fetches an auth token from the EMR, forwards it to our server, our server validates the token, our server maps the token’s corresponding EMR identity to an identity in Auth0, then our server issues a new Auth0 user token for the browser. I understand that this could be implemented using on-behalf-of token exchange, or a management API that issues individual user auth tokens (which I was not able to find).
What does Auth0 recommend to implement this auth flow? In particular, I was not able to find a way to issue a new Auth0 user token from a trusted server given an Auth0 ID.