My company has an existing legacy authentication feature where we have an extension for customer’s ERP systems that posts user profile information (user is already authenticated in the ERP) and a key that identifies the customer from the ERP to a web service that returns a one time use token. The ERP extension then redirects the user agent to our application with that one time use token, we call the token service to fetch user profile information, autoprovision a user in our database if necessary, and create our own JWT. The identity provider used in the ERP for these customers is often not publicly accessible and/or not standards based, so there’s no auth0 connection type that would support these cases.
We’re looking to use auth0 for normal use cases where customers do have SAML or some other supported idP that we can use, plus social logins. We’re wondering if there’s some way to use auth0 so that application and APIs don’t all need hacks to support auth0 plus this custom authentication hack. Is there some way to support such a use case using auth0? Some way for an authenticated application (client credentials) to post user profile info that we get from a trusted source to auth0 and get back the normal auth0 OIDC access and id tokens?