Using a trusted app login flow with an SPA

Hey guys,

Our SPA can be accessed in two ways:

  1. a standard username/password login via Auth0
  2. A link via a trusted 3rd party app that requires a login

The question is about #2. For these users, we don’t want them to remember two sets of usernames and passwords. If they’re logged in successfully to the external app, it’s good enough for us that they should be able to access our app.

The flow looks like this:

  1. User launches 3rd party app and logs in
  2. Once logged in, user clicks on a link in the external app dashboard that points to our app.
  3. On click, the external app redirects the user to our app with a token in the URL which we can use to authenticate the user.
  4. If authenticated, we would like to ‘auto login’ the user to their corresponding auth0 user account.

What’s the recommended way to achieve this?

My thoughts:

  1. Use the password less api somehow - if the 3rd party token is valid, generate a magic link via auth0 and redirect the user automatically to that link. The user should not have to check their email/sms.
    Unfortunately I could not find a way to do this as all the docs say that auth0 will generate the magic link and send it via sms. There doesn’t seem to be a way to generate the magic link via API.

  2. Get the SPA’s backend to login on behalf of the user using the auth0 mgmt api and pass the resulting access token to the SPA. The SPA stores the access token and logs the user in.

Is there a better way you can suggest to achieve the above?