We’re developing a pretty straight-forward web application (Angular SPA client, .NET Core Web API backend) which will interact (both from the client and from the API) with a 3rd party API (3p-API, for short, in this post). Auth against the 3p-API is done by passing username/passwords to a simple REST endpoint, which returns an access token that is to be included with all other 3p-API requests.
Would it be possible to use this 3p-API as some kind of custom identity provider? I’ve been trying to look at the Custom Social Connections extension, but this seems to require that the connection supports oauth, so that won’t do in this case?
The flow we picture ourselves is as follows:
- User goes to our client and gets redirected for authentication to Auth0
- User enters username/password (for 3p-API) at our Auth0 login screen
- Auth0 uses entered username/password to make a request to 3p-API authentication endpoint, which if successful will return an access token
- Auth0 redirects the user back to our client, with the 3p-API access token included as a claim (in a JWT?)
- The client can then use the 3p-API access token to make requests against the 3p-API (or pass the access token on when making requests to our own API, which further can use the same access token to make direct requests to the 3p-API)
Is this scenario possible? I have tried searching the community for similar posts, but since I’m not too steady on all the terminology I might be searching for the wrong thing. If so, please just point me in the right direction!