Auth0 Home Blog Docs

Use Client Id and Client Secret to Create a JWT for a User

Hello,

I want to do something similar to the deprecated ‘impersonate user’ API. I want to be able to take my Client Id and Client Secret and specify a user stored in my Username-And-Password database connection, then have a JWT generated for that user and sent back to me. Is that possible? Can someone point me to the auth0 documentation for that?

Here is what I am really trying to do so please weigh in if I am going about it the wrong way. What I need to do is allow users of 3rd party system that I don’t control to log in to my system where they have a corresponding user. My system is set up with auth0 and uses only a Username-And-Password database connection to store user credentials. The user of the 3rd party system authenticates with the 3rd party system using the 3rd party system’s authentication method (and no they don’t have their own identity provider server). Now that 3rd party user has an email address and a user entry is created in my system in auth0 that corresponds to that same email address. What I need to make happen is that by clicking a button in the 3rd party system I need them to go my web site and automatically be logged in to my system as if they typed in the credentials for their user in my system. This is ok because they already authenticated with the 3rd party system and I trust the 3rd party system.

Here is what I was hoping would work: I create a user in my system and in auth0 for my system that represents the 3rd party system. I give the 3rd party system their username and password. They then take those credentials and use my server’s login endpoint to get their own JWT. All of that is fine and working. But now I want to create an endpoint on my server that allows the 3rd party system to send over the email address of the their logged in user and then send back to the 3rd party system a JWT that represents the corresponding User in my system such that they would be able to use the generated JWT to interact with my server. Once the 3rd party system gets back the JWT which represents their logged in user, then the 3rd party system will serve up a webpage to their logged in user that has a button in their system that when clicked will open up a new tab with my system with them being logged in via the JWT that was generated for them. So the 3rd party system would have a link that the user could click on for example that looks like this: ‘www.my-site.com/login?jwt=asdflkj’. I already built that code so that it will take in the JWT and save it off exactly the same way it would if they went to my system’s real log in page and typed in their username and password and then received the JWT from my server. So essentially it just takes the JWT and bypasses the need for the user to type in the username and password for my system because they already authenticated with this TRUSTED 3rd party system.

I understand that there are security concerns with giving the 3rd party system the ability to “log in users by specifying an arbitrary email” but I have a different mechanism of making sure that the 3rd party system would only be able to login a very specific set of users in my system. They would only have access to log in users that are also users of the 3rd party system. I will program that restriction in.

Is there any way that auth0 has for helping me accomplish what I need to do? I essentially just need Auth0 to have a way to send in my Client id and secret and an auth0 username and have it spit out a JWT for that user.