I want users to be able to log in with various methods - via Auth0 - to my application. But I also want to store user info in my own database - and merge logins by ID.
i.e. if I login with a facebook account and google account, linked to the same email address (and verified) then they will end up with the same user in my application.
After reading this post: OAuth and external auth providers, it seems maybe I would end up needing to configure my own auth service and convert the auth0 access token into my own ID/access_token - effectively representing a session in my application. During the conversion from auth0 token to custom token, I'd check for an existing account with email, otherwise register a new account.
Is this the most feasible way to achieve this? I have a feeling it'd be simpler to use 1 token issuer rather than 2.
Effectively this would be a double code exchange.
Redirect Auth0 Login -> Receive code in URL -> exchange code for Auth0 token -> exchange Auth0 token for a proprietary token (relating directly to - and possibly containing cached fields of - the user in the database).
Use finally acquired proprietary token for authorization with my services
