Hello. Our team is working on a somewhat interesting flow in order to integrate “Subscribe with google” Subscribe with Google | Google Developers . The challenge of the flow is this:
- User lands on a page
- Either because user has subscription through google or because user just bought it - google sends a valid signed id token (along with the additional info about the purchase)
- The token should be validated on the backend to confirm correct signature
- If everything is correct, and that token is to be trusted - user has to be created with a link to the google account (as if user used login through google) WITHOUT any additional authentication screens.
As you might expect - #4 is the biggest challenge. We’ve searched through documentation and forums for Auth0, and yet were unable to find an answer for this. Basically we would like to know:
- Can the user be created with a social login link via the api or in any other way WITHOUT direct authentication?
- How could web user session be created WITHOUT direct authentication?
Thanks.
- Linking without user consent won’t work. Also the ID token you acquired doesn’t authorize you for it in any way. Also doesn’t sound very secure nor trustworthy.
- Sounds like impersonation, it’s not possible/supported.
Why do you want/need to avoid direct authentication? Why not use regular federated authentication via Google here?
1 Like
@mathiasconradt Avoiding the direct authentication is google’s requirement in this flow. From their perspective a correctly signed token is a valid reason for user session, which is sort of openid-connect -way. Unfortunately I cannot share full documentation and instructions on this.
Basically, direct authentication here is handled completely by google, and the website receives only an ID token (no access token) as a sign of a trusted user account.
It appears to be a similar flow to Google’s one-tap sign-up, and it looks like there was a workaround solution for this in Auth0 Integrating Google One-Tap sign-up/login with Auth0 - #9 by peter-auth0 . But it’s not exactly what’s needed here, since this workaround triggers authorization through google instead of creating the user directly.
Understood, though I don’t see any other solution here as well besides the one from Peter that you linked to. btw: the One-Tap website doesn’t seem to have a lot of documentation (anymore?) at the moment.