Change passwordless user email

danillouz · February 22, 2019, 8:04pm

Hi, I’ve been struggling a bit with implementing a “verify email” feature.

What I’m trying to build is allowing a user that already has an account of connection type email (passwordless strategy using an verification code) to update their email address. I’d like the user to receive a verification email after they update their email address with a new one.

I tried to achieve this via the Management API V2 and it works, up to the point when I visit the emailed verification link. The link redirects me to my web client (SPA), where I get the following error:

{
  "error": "invalid_hash",
  "errorDescription": "response_type contains `id_token`, but the parsed hash does not contain an `id_token` property"
}

Implementation

I have a Node.js API that is making requests to the Auth0 management API like so:

module.exports = function updateEmail(client, userId, email) {
  const data = {
    email,
    connection: 'email',
    email_verified: false,
    verify_email: true,
    client_id: CLIENT_ID
  };

  return client.updateUser({ id: userId }, data);
};

Calling the endpoint updates the properties for the user correctly (visible in the dashboard) and a verification email is also sent.

The CLIENT_ID is set to the application which represents the web client (SPA) that will eventually call this API.
The web client itself implements the passwordless webauth strategy and users can signup/login without any problems. This web client has a /callback route which calls webAuth.parseHash.

The emailed verification link has an URL of the format:

https://my-web-client.com/callback#access_token=SOME_TOKEN&scope=openid%20profile&expires_in=7200&token_type=Bearer

Which links to the /callback route of the web client and the mentioned error is triggered by the webAuth.parseHash routine.

I’m currently calling my API, which updates the email and triggers the email verification, from a REST client.
Note that I’m not doing anything else (like scheduling a “verify email address” job) besides setting the verify_email to true on the user in question.

Setup

Default Auth0 email provider is used (I’m still in development).
In “Passwordless Connections”, “Email” is enabled with the following settings:
- “Authentication Parameters”: { "scope": "openid profile" }
- “Disable Signups” true (issue persists when set to false)
“Email Templates”, “Verification Email”, has “Status” set to true.

Do I have something misconfigured? Or is my approach wrong?
Any advice would be greatly appreciated!

viszt · March 10, 2019, 3:44pm

What i did was to create a random number for an email address change, and i store that number in app_metadata. I send this number to the user via email(to the address they want to change to). In my frontend, i ask for this number to verify the password change and i just simply update the email address using the management api:

//Change email address
var data = {
  email: req.body.email,
  connection: 'email',
  client_id: 'SY0J70ks73fKrTkUm3pVy0d3TZpUa3jX'
}
req.auth0.updateUser({ id: req.user.user_id }, data, function (err, user) {
  //...
});

This process (i think) eliminates the need for an extra email verification.

dekel · June 12, 2019, 12:22pm

@danillouz
I’m also in the same boat
I want to implement the passwordless authentication but currently have the same error as you have

Have you found a solution since you’ve posted this?

danillouz · June 12, 2019, 12:40pm

Unfortunately not. I switched to email+password.

After a lot of searching/experimenting I decided to abandon paswordless, because I couldn’t implement a usable solution I was satisfied with.

I also attempted to learn more about best practices for email verification/updates with passwordless. But was quite suprised not getting any response, nor finding any documentation on this.