We (company A) are developing an App. We want to expose functionality of Company B in our App (Post / Get calls to their API).
Requirements:
- Company B wants us to provide a solution that costs them minimal setup time from their end.
- Legally we cannot show a username and password field in our own App to authenticate the user with Company B's API.
- We could ask the e-mail address of the user with a submit button and trigger a password-less flow? But open to better suggestions.
Flow of Company B's App:
Show login page
POST call with username and password:
https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=AIz..4EResponse call with JWT Token:
https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=AI..4E Body: { "idToken": "eyJhbGciOiJSUz...KFQ" }
Pasting this JWT Token in our API calls to Company B is enough for this to work.
Question:
Would a password-less flow work? And if yes, how would I get the JWT Token?
Things tried:
- Tried this tutorial but it also refers to a firebase object, and I don't think users are stored on firebase.
- Tried the firebase email-link signin tutorial. They have their userbase on google Identity, and not on Firebase. Otherwise this would be a great implementation.
- Zapier connects to all these thirdparty api's by actually using and storing the user's information. This would be the easiest, but not possible for us.