Hi, in our frontend single page application we started to use the Auth0 SDK Universal login for the user login.
In the application we have a ‘Sign as other user’ button. The first user is logged in via auth0 but occasionally they will have a second user in the same building perform a ‘sign over the shoulder’ action where the second user enters their credentials in to sign off on something.
So our Sign As functionality is technically a user credential validation (what we are doing on the backend side currently). As our application using the Auth0 SDK we need to use the Auth0 SDK for the Sign As functionality too.
Our idea was to use the Auth0 SDK Login with popup functionality for the Sign As. But the problem is when second user logs in with the pop functionality then in the application the Auth0 session will be changed from the first user to the second user by the SDK.
Next time when the application request a new access token and for the new token a silent login is necessary then SDK will provide an access token for the second user because the Auth0 session has been changed during the Sign As flow.
Finally when frontend application passes access token (what is provided by the SDK) which belongs to the second user as credential to the API call, the validation on the backend side in our application will fail, because the first user is logged into the application so in our application the user session belongs to first user and not to the second (we not just validating the token but comparing the user info in our session with the user info what is in the token)
Based on this
Our current sign as flow seems to a Resource Owner password flow because we sending the credential to the backend and backend is doing the validation. But ROPC is obsolete by OAuth and the above link we can read this :" This grant should only be used when redirect-based flows like the Authorization Code Flow are not possible."
What is the best way to prompt the second user via auth0 for authentication while maintaining the first user’s session?