How can I get an Auth0 JWT token in the Redash client to connect to internal APIs?

[gpspake]

I have configured Redash to use the Auth0 SAML2 add on for authentication per the docs. That works. However, once the user is authenticated, we need to get an Auth0 JWT in the client that can be used for connections to internal APIs that require a JWT for authentication.

Based on this Auth0 community thread,

It’s not possible to convert a SAML response to an access token directly - however, you will be able to perform a silent authentication after the user logs in with SAML to get an access token.

So my understanding is that I should be able to use the Auth0 react SDK to initiate a silent authentication and get a token. However, based on the way authentication is handled server side in Redash, I'm wondering if this is possible and how anyone else who's run in to this same requirement may have handled it.

Note: I understand that, once we have a token in the client, using it in requests will require some customization but my immediate goal is to prove that I can, in fact, get a JWT in the client.

[gpspake]

Update: I've managed to get a jwt from Auth0 in the client using the react sdk with getAccessTokenWithPopup() but I haven't been able to get silent authentication working (it fails with "login required") - So right now I have to show the pop up which requires the user to login - the double login UX isn't going to work so now I'm considering whether we should just completely replace the saml implementation with Auth0's react sdk.

[justinclift]

No worries. No real insight here to help, as I'm not clueful with jwt / frontend auth stuff.

So, am just watching from the sidelines. 👼

[gpspake]

Thanks... I'll add the context that by "Internal APIs" I mean we're basically talking to an internal Presto emulator service. Currently we're just adding a Presto connection with username and password but eventually we'll want to authenticate those requests with an Auth0 JWT.

[gpspake]

Right now, the idea is to register an axios interceptor once we have the token that will add the token header to the relevant requests.

[gpspake]

Just to re-summarize the problem here:
We log in to Redash using SAML via auth0's SAML2 add on.
We get a SAML response in the redash server (flask) that includes the auth0 ID as well as their username and email.
The user is authenticated and the react app is served up to the browser.
Now, we need a JWT from auth0 in the client that we can add to request headers (via an axios interceptor) to authenticate query requests to our apis based on the current user.

For example:
An admin sets up a Redshift data source with a blank username and password (since it will be authenticated via the current user's jwt).
A user logs (via saml) in and selects that data source for a query and executes it.
A request is sent to the redash server with an Auth0 JWT in the header (that we've modified redash to include via axios interceptor) which is in turn passed along to our internal Redshift adapter.
The question is: Where does the JWT come from?
Silent auth in the SPA assumes the client app is authenticated via Auth0 but in this case, it was handled on the back end.