We run a web app with a sort of end-to-end cryptography system, where everything is encrypted with keys derived from the user password.
Recently a request for SSO implementation came. From this it seems that implementing SSO and also E2EE, without the need for a desktop or mobile app is possible, but that is the only mention I found.
Is there a way of getting some secret from Auth0 that is unique for each user, is secure to use for encryption of user data and does not change between sessions? Or is this just generally not a good idea at all?
You can store user-specific data in the user’s app_metadata. The persistent data can then be added to the token and sent to your application after the user authenticates.
App_metadata is not typically used for secret/credential storage, but instead is used for storing access information like a user’s subscription level, external IDs, or permissions. That doesn’t necessarily mean its a good or bad idea, but I would proceed with caution, as it is not the intended purpose of the feature.