Hi, I’ve been struggling a bit with implementing a “verify email” feature.
What I’m trying to build is allowing a user that already has an account of connection type email
(passwordless strategy using an verification code) to update their email address. I’d like the user to receive a verification email after they update their email address with a new one.
I tried to achieve this via the Management API V2 and it works, up to the point when I visit the emailed verification link. The link redirects me to my web client (SPA), where I get the following error:
{
"error": "invalid_hash",
"errorDescription": "response_type contains `id_token`, but the parsed hash does not contain an `id_token` property"
}
Implementation
I have a Node.js API that is making requests to the Auth0 management API like so:
module.exports = function updateEmail(client, userId, email) {
const data = {
email,
connection: 'email',
email_verified: false,
verify_email: true,
client_id: CLIENT_ID
};
return client.updateUser({ id: userId }, data);
};
Calling the endpoint updates the properties for the user correctly (visible in the dashboard) and a verification email is also sent.
The CLIENT_ID
is set to the application which represents the web client (SPA) that will eventually call this API.
The web client itself implements the passwordless webauth strategy and users can signup/login without any problems. This web client has a /callback
route which calls webAuth.parseHash
.
The emailed verification link has an URL of the format:
https://my-web-client.com/callback#access_token=SOME_TOKEN&scope=openid%20profile&expires_in=7200&token_type=Bearer
Which links to the /callback
route of the web client and the mentioned error is triggered by the webAuth.parseHash
routine.
I’m currently calling my API, which updates the email and triggers the email verification, from a REST client.
Note that I’m not doing anything else (like scheduling a “verify email address” job) besides setting the verify_email
to true
on the user in question.
Setup
- Default Auth0 email provider is used (I’m still in development).
- In “Passwordless Connections”, “Email” is enabled with the following settings:
- “Authentication Parameters”:
{ "scope": "openid profile" }
- “Disable Signups”
true
(issue persists when set tofalse
)
- “Authentication Parameters”:
- “Email Templates”, “Verification Email”, has “Status” set to
true
.
Do I have something misconfigured? Or is my approach wrong?
Any advice would be greatly appreciated!