Using auth0 with Firebase/Cloud functions/AWS Appstream stack?

Hi! I’m doing some testing to see if Auth0 is right for my company.

A bit of background as to what I’m trying to do here:

I have a native app that is provided to our customers via an Appstream virtual machine. Users need to be authenticated to access the virtual machine and additionally I need to handoff an access token (or something similar) to the virtual machine to control what the users have access to in our backend once they are in the app running on the VM.

My plan was to:

  1. use the SAML addon in Auth0 to allow a login page to authenticate and redirect users to appstream. I was able to get this working.
  2. Have users initially login and authenticate in their own browsers (before they have access to the virtual machine) with Oauth2 to generate an access token.
    2a. This Oauth login would have a redirectURI that points to the SAML addon Auth0login–Such that users login with Oauth in their own browser, generate an access token, and then are redirected via SAML to the appstreaming virtual machine.
    2b. Create a rule in Auth0 that sends the access token (or refresh token) as an additional parameter in the SAML assertion such that the native app on the virtual machine can access it as an environment variable. This would be used to provide users with authorization to access different portions of my backend from the virtual machine environment.

When went to look at the documentation for setting up an oauth based login, I’m finding it hard to figure out what I should be doing here given that all the basic quickstart guides really do not cover my scenario at all. My auth flow initially is similar to single page app and just requires redirects at the beginning. However by the end, customers could theoretically access either the refresh token or access token (or even a custom token) and their authorization flow directs them through firebase cloud functions which should check their authorization to access resources. Any advice or thoughts on what I’ve outlined above? Is it possible? Is it even advised?

Additionally, I am currently trying to set up step 2a above, however Auth0 is repeatedly telling me that my redirect_uri is not in the list of allowed redirect uris, despite me literally copying and pasting it from the error message into my application settings. I have been trying for about 2 hours to get it fixed but have had no luck. It should be redirecting to the SAML addon IDP loginpoint which includes a relay state url. I have tried both encoding and decoding the relay state url special characters. Anyone have an idea why its not recognizing my URI as allowed?

I am far from an experienced with authentication/backend/web dev work and primarily work in C# and mobile apps so I appreciate any help or advice you can give.