Auth0 Home Blog Docs

Using auth0 to get token to then use for API requests to 3rd parties?

social-connections
oauth2

#1

I can’t quiet wrap my head around how to do auth0 for the following workflow. Perhaps it is simple and I’m over thinking it:

What we need to do is leverage auth0 to let a user login to a social site (like facebook) and then use the resulting token to make API requests to the social site’s API itself. In other words, I don’t want to simply authenticate with facebook, but I want to make use of the resulting token to call facebook APIs. The client will be a webpage, so we aren’t going to be taking these tokens and using them for nefarious purposes. So ideally this would be the flow:

  1. User logs into our app (using auth0) using a non-facebook login.
  2. The user then clicks some link and via auth0 authorizes access to facebook using oauth0.
  3. Once #2 happens, then client can then use the resulting token to make API calls to facebook’s API. So the token would need to be a facebook token, not an auth0 token (I think)

Any ideas how I would go about doing this with auth0? Any help would be greatly appreciated!

P.S. The social site in question is not actually facebook; it is an enterprise app that would not be interesting to most users. But the concept for what I need is the same.


#3

:wave: @canvasjon this is possible! What connection/social site are you using? For Facebook for example, we can see the steps outlined here- where once we set it up as a connection with your application and with Auth0, and once we successfully authenticate a user, we will get a Facebook specific Access Token that will be within the user profile. That Facebook specific access token will allow us to make calls to the Facebook API (granted we enabled the correct permissions. (to you have to retrieve the token we would need to retrieve the full user’s profile, using the Auth0 Management API, and extract the token from the response) which may be similar depending on the connection you are using. Does that make sense? Can you let us know if you are still looking to implement your application and/or if you have already done so/encountering any issues along the way.


#4

The site we are using is actually Bitmoji (as early beta users, so there is no official support anywhere). We are using the “Custom Social Connections” extension to do the actual oauth plumbing for the initial login.

I ended up taking care of this by doing these steps:

  1. We are relying on the fact that bitmoji’s refresh token never expires.
  2. However, their access tokens expire in 1 hour.
  3. When we need an access token we fetch this refresh token from auth0’s stored information (from the Identity information in the user request)
  4. When then make a direct request to Bimoji with the refresh token to get the access token (which is valid for 1 hour)

This isn’t perfectly ideal as it would be nice if we could avoid talking directly to Bitmoji’s auth servers entirely and just proxy all that information via auth0, but this is a compromise we can live with. Auth0 is still doing the most complex part and we do not have to locally persist anything (such as the refresh token) which was one of our design goals.

Hopefully the above workflow will help some future user with the same or similar needs.