Trusted account creation from id token

Help
, , ,
1

Hello. Our team is working on a somewhat interesting flow in order to integrate “Subscribe with google” Subscribe with Google  |  Google Developers . The challenge of the flow is this:

  1. User lands on a page
  2. Either because user has subscription through google or because user just bought it - google sends a valid signed id token (along with the additional info about the purchase)
  3. The token should be validated on the backend to confirm correct signature
  4. If everything is correct, and that token is to be trusted - user has to be created with a link to the google account (as if user used login through google) WITHOUT any additional authentication screens.

As you might expect - #4 is the biggest challenge. We’ve searched through documentation and forums for Auth0, and yet were unable to find an answer for this. Basically we would like to know:

  1. Can the user be created with a social login link via the api or in any other way WITHOUT direct authentication?
  2. How could web user session be created WITHOUT direct authentication?

Thanks.

2
  1. Linking without user consent won’t work. Also the ID token you acquired doesn’t authorize you for it in any way. Also doesn’t sound very secure nor trustworthy.
  2. Sounds like impersonation, it’s not possible/supported.

Why do you want/need to avoid direct authentication? Why not use regular federated authentication via Google here?

1 Like
3

@mathiasconradt Avoiding the direct authentication is google’s requirement in this flow. From their perspective a correctly signed token is a valid reason for user session, which is sort of openid-connect -way. Unfortunately I cannot share full documentation and instructions on this.
Basically, direct authentication here is handled completely by google, and the website receives only an ID token (no access token) as a sign of a trusted user account.

It appears to be a similar flow to Google’s one-tap sign-up, and it looks like there was a workaround solution for this in Auth0 Integrating Google One-Tap sign-up/login with Auth0 - #9 by peter-auth0 . But it’s not exactly what’s needed here, since this workaround triggers authorization through google instead of creating the user directly.

4

Understood, though I don’t see any other solution here as well besides the one from Peter that you linked to. btw: the One-Tap website doesn’t seem to have a lot of documentation (anymore?) at the moment.