We are migrating our IdP to auth0 and I have following usecase, which I could not migrate:
An admin user needs to act on behalf of different enduser, without the need of the enduser’s password!
With our old IdP we were able to use grant_type ‘urn:ietf:params:oauth:grant-type:jwt-bearer’ to request an access token for the admin. After that we use grant_type ‘urn:ietf:params:oauth:grant-type:token-exchange’ to retreive an access token on behalf of the enduser. We were then logged in as the enduser!
Anyone same situation?
Welcome to the community
The situation you describe appears to suggest some requirement for impersonation and/or (3rd party) token exchange Neither of which Auth0 natively supports out of the box. However, it is possible to achieve some level of each - typically utilising Auth0 Custom Database Connection functionality. Whilst possible, it’s not a simple solution to describe/implement…at least not securely at any rate. For situations like these I would typically recommend reaching out to Auth0 Professional Services - either via your (Auth0) Technical Account Manager if you have one or directly via the link provided.
Hope this helps