Wondering how to implement OIDC compliant flow to an existing BaaS

Hi, I’m building a web client-side app (Javascript), that works with a BaaS back-end. I am trying to implement an OIDC compliant authentication flow. The user logs in to my app using any social provider, then in order for my app to talk to the BaaS, I need to get a token from the BaaS that I can use to make authenticated requests on behalf of the user.

All the examples I have found focus on using Auth0 access tokens for all requests to an API. I want to use the Auth0 access token to make the initial request to the BaaS, get their token for the user, and use that token for subsequent request to the back-end.

Of course, I can implement this in my client, but I’d rather implement this completely on the Auth0 side. Ideally, the user logs in (using Auth0 lock), and the token I get back also includes my BaaS token.

Does anyone have any pointers how to implement this completely inside Auth0?

There was some support for this in the form of client application addons (Firebase, etc), however, those meant the use of the delegation endpoint which is now unavailable for new accounts given it’s part of legacy flows.

At this time, there’s no counterpart to that on the new API surface that was introduced for OIDC compliance and your own API authorization. Having said that, this gap is something that is identified and there are discussions on introducing built-in functionality to better address those scenarios where the downstream API is not directly under your control and as such cannot also directly accept Auth0 issued tokens. However, due to this current gap, for now you’ll have to broker yourself that exchange between the different authorization forms - from the Auth0 issued access token to the format accepted by the downstream provider.